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Preface 



INDOCRYPT 2001, the Second Annual Crypto Conference, is proof of the sig- 
nificant amount of enthusiasm generated among Indian as well as International 
crypto communities. INDOCRYPT 2001 was organized by the Indian Institute of 
Technology, Madras and the Institute of Mathematical Sciences, also located in 
Madras (now Chennai). This event was enthusiastically co-sponsored by eAlca- 
traz Consulting Private Ltd, Chennai, Odyssey Technologies Ltd, Chennai, and 
Shanmuga Arts Science Technology and Research Academy (SASTRA), Than- 
javur. The Program Committee Co-chair, Prof.C.Pandu Rangan was responsible 
for local organization and registration. 

The Program Committee considered 77 papers and selected 31 papers for 
presentation. These papers were selected on the basis of perceived originality, 
quality, and relevance to the field of cryptography. The proceedings include the 
revised version of the accepted papers. Revisions were not checked as to their 
contents and authors bear full responsibility for the contents of their submissions. 

The selection of papers is a very challenging and demanding task. We wish to 
thank the Program Committee members who did an excellent job in reviewing 
the submissions in spite of severe time constraints imposed by the tight pro- 
cessing schedule. Each submission was reviewed by at least three referees (only 
a few by two). The Program Committee was ably assisted by a large number 
of reviewers in their area of expertise. The list of reviewers has been provided 
separately. Our thanks go to all of them. 

The conference program included three invited lectures by Prof. Andrew 
Klapper, University of Kentucky, USA, Dr. Anne Canteaut, INRIA, France, and 
Dr. Tatsuaki Okamoto, NTT Labs, Japan. In addition to these three invited 
lectures, pre-conference and post-conference tutorials were conducted by Ra- 
marathnam Venkatesan, Microsoft, Redmond, USA on Random Number Gen- 
erators: Theory and Practice and by Dipankar Dasgupta, The University of 
Memphis, USA on a Bio-Inspired Approach to Computer Security. Industrial 
presentations on the best practices were also scheduled during these days. 

Our sincere thanks goes to Springer-Verlag, in particular to Mr. Alfred Hof- 
mann, for publishing the proceedings of INDOCRYPT 2001 as a volume in their 
prestigious LNCS series. We are also indebted to Prof. Bimal Roy and Prof. 
C.E.Veni Madhavan and to all the members of the Steering Committee for their 
valuable advice and suggestions. We gratefully acknowledge the financial sup- 
port extended by our co-sponsors and ‘Golden’ sponsors. We wish to make a 
special mention of the enthusiastic financial support extended by IIT Madras 
Alumni Association in North America, (IITMAANA) enabling a large number 
of students and faculty members from various universities in India to attend the 
conference. 

This conference handled all the submissions as well as refereeing in electronic 
form. The ERNET centre located at IIT Madras, coordinated by Prof. S.V. 
Raghavan, provided excellent internet services at every stage of this conference. 




VI 



We wish to place on record our sincere thanks to Prof. R. Natarajan, Director, 
IIT, Madras, Prof. C.R. Muthukrishnan, Deputy Director, IIT, Madras and Prof. 
Srinivasa Murthy, Dean, IC&SR, IIT, Madras for encouraging and supporting 
the conference in every possible way. 

Finally we wish to thank all the authors who submitted papers, making this 
conference possible, and the authors of accpeted papers for updating their pa- 
pers in a timely fashion, making the production of these proceedings possible. 
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Cryptographic Functions and Design Criteria 
for Block Ciphers 



Anne Canteaut 

INRIA - projet CODES, 

BP 105, 78153 Le Chesnay, France 
Anne .Canteaut@inria.fr 

Abstract. Most last-round attacks on iterated block ciphers provide 
some design criteria for the round function. Here, we focus on the links 
between the underlying properties. Most notably, we investigate the re- 
lations between the functions which oppose a high resistance to linear 
cryptanalysis and to differential cryptanalysis. 



1 Introduction 

The development of cryptanalysis in the last ten years has led to the defini- 
tion of some design criteria for block ciphers. These criteria correspond to some 
mathematical properties of the round function which is used in an iterated block 
cipher. They essentially concern the confusion part of the round function, usu- 
ally named S-box. Most notably, the use of a highly nonlinear round function 
ensures a high resistance to linear attacks. Similarly, the resistance to differential 
attacks is related to some properties of the derivatives of the round function. The 
functions which are optimal regarding these criteria are respectively called al- 
most bent and almost perfect nonlinear. For instance, such functions are used in 
the block cipher MISTY [26]. However, these functions present some particular 
properties which may introduce other weaknesses in the cipher (e.g. see [17]). 

This paper describes the link between the design criteria related to differ- 
ential attacks, linear attacks and higher order differential attacks. We provide 
some tools for establishing a general relationship between the nonlinearity of a 
function and its resistance to differential attacks. Most notably, we give a char- 
acterization of almost bent functions using some divisibility property of their 
Walsh coefficients. We also show that this structure is specific of optimal func- 
tions. Most results in this paper rely on a joined work with P. Charpin and 
H. Dobbertin [6,4,5]. 

The following section reviews the design criteria associated to some classi- 
cal last-round attacks. Section 3 focuses on the functions which ensure the best 
resistance to differential attacks, to linear attacks and to higher order differen- 
tial attacks. We show in Section 4 that these optimal functions are related to 
other optimal objects which appear in different areas of telecommunications. For 
example, almost bent functions correspond to particular error-correcting codes 
and to pairs of m-sequences with preferred crosscorrelation. Section 5 presents 
the links between the previous design criteria, especially for the case of optimal 
functions. 
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2 Last-Round Attacks on Iterated Block Ciphers 

In an iterated block cipher, the ciphertext is obtained by iteratively applying a 
keyed round function F to the plaintext. In an r-round iterated cipher, we have 

Xi = F{xi-i, Ki) for I < t < r , 

where xg is the plaintext, Xr is the ciphertext and the r-round keys (A"i, • . . , Fr) 
are usually derived from a unique secret key by a key schedule algorithm. For 
any fixed round key K, the round function Fk '■ x F(x,K) is a permutation 
of the set of n-bit vectors, F 2 , where n is the block size. 

Most attacks on iterated block ciphers consist in recovering the last round 
key Kj. from the knowledge of some pairs of plaintexts and ciphertexts. For this 
purpose, we consider the reduced cipher, i.e., the cipher obtained by removing 
the final round of the original cipher. The reduced cipher corresponds to the 
function G = Fk,._i o . . . o Fk,, ■ The key point in a last-round attack is to be able 
to distinguish the reduced cipher from a random permutation for all round keys 
Ki , . . . , K^_i. If such a discriminator can be found, some information on Kj. can 
be recovered by checking whether, for a given value kr, the function 

Xq I > ^kr- 

satisfies this property or not, where xg (resp. Xr) denotes the plaintext (resp. the 
ciphertext). The values of kr for which the expected statistical bias is observed 
are candidates for the correct last-round key. 

Different discriminators can be exploited. Most notably, a last-round attack 
can be performed when the reduced cipher satisfies one of the following proper- 
ties: 



— The reduced cipher G has a derivative, DaG : x 1 -^ G{x + a) + G{x), which is 
not uniformly distributed. This discriminator leads to a differential attack [1]; 

— There exists a linear combination of the n output bits of the reduced cipher 
which is close to an affine function. This leads to a linear attack [24,25]; 

— The reduced cipher has a constant fc-th derivative for a small k. This leads 
to a higher order differential attack [20]; 

— The reduced cipher, seen as a univariate polynomial in F2"[A1], is close to 
a low-degree polynomial. This leads to an interpolation attack [17] or to an 
improved version using Sudan’s algorithm [16]. 

In most cases, such a property on the reduced cipher can be detected only if 
the round function presents a similar weakness. Therefore, a necessary condition 
for an iterated cipher to resist these attacks is to use a round function which 
does not present any of the previous characteristics. Then, the round function 
should satisfy the following properties for any round key K: 

(i) For any a G F 2 , a yf 0, the output distribution of DaFx ■ x 1 -^ Fk{x -I- a) -|- 
Fk{x) should be close to the uniform distribution; 
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(ii) For any a G F2, a ^ 0 , the Boolean function x 1-^ a ■ Fk{x) should be far 
away from all affine functions; 

(iii) The Boolean functions x ^ a - Fx{x) should have a high degree; 

(iv) The function Fk, seen as a univariate polynomial in F 2 » [X], should be far 
away from all low-degree polynomials. 

Some of these conditions may be sufficient in particular cases to guarantee 
that the iterated cipher resists the corresponding attack (e.g. see [ 31 ]). 

Note that the first three properties are invariant under both right and left 
composition by a linear permutation of F^. Then, they only concern the con- 
fusion part of the round function. In the following, we only investigate the first 
three properties, since the mathematical nature of the last criterion is quite 
different. 

3 Almost Perfect Round Functions 

A Boolean function f of n variables is a function from F2 into F2. It can be 
expressed as a polynomial in xi,. . . ,x„, called its algebraic normal form. The 
degree of /, denoted by deg{f), is the degree of its algebraic normal form. 

3.1 Resistance against Differential Attacks 

The resistance of an iterated cipher with round function Fk against differen- 
tial cryptanalysis can be quantified by some properties of the derivatives (or 
differentials) of Fk- 

Definition 1. [22] Let F be a function from F 2 into F™. For any a G F 2 , the 
derivative of F with respect to a is the function 

DaF{x) = F{x -I- a) -I- F{x) . 

For any k-dimensional subspace V 0/F2, the fc-th derivative of F with respect 
to V is the function 

DyF = Da.^Da2 ■ ■ ■ Da^,F , 
where (ai, . . . , a^) is any basis of V. 

It is clear that an iterated cipher is vulnerable to a differential attack if there 
exists two nonzero elements a and b in F2 such that, for any round key K, the 
number of x G F2 satisfying 

Fk{x a) F k{x) = b ( 1 ) 

is high. Therefore, a necessary security condition is that, for any K, 

5 fk = max #{x G F2 , Fk{x -I- a) -I- Fk{x) = b} 

a,b^0 

should be small. It clearly appears that the number of solutions of Equation ( 1 ) 
is even (because xq is a solution if and only if xq -I- a is a solution). Then, we 
deduce 
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Proposition 1 . [31] For any function F from F2 into F2 , we have 

Sp > 2 . 

In case of equality, F is said to be almost perfect nonlinear (APN). 

Note that the terminology APN comes from the general bound 

Sp > 2 ”-™ 

for a function from F2 into F™, where the functions achieving this bound are 
called perfect nonlinear functions [28] . Such functions only exist when n is even 
and n > 2m [29]. 

The definition of APN functions can be expressed in terms of second deriva- 
tives: 

Proposition 2 . A function F from Ftf into F2 is APN if and only if, for any 
nonzero elements a and b in F 2 , with a ^ b, we have 

DaDbF{x) yf 0 for all x G Flf . 

All known APN functions are functions of an odd number of variables. Ac- 
tually, it is conjectured that, for any function F from F2 into F2 with n even, 
we have 

Sp > 4 . 

This statement is proved for some particular cases, most notably for power func- 
tions [2,10]. 

3.2 Resistance against Linear Attacks 

The resistance against linear attacks involves the Walsh spectrum of the round 
function. 

In the following, the usual dot product between two vectors x and y is denoted 
hy X ■ y. For any a G F2 , y>a is the linear function of n variables: x^ a. - x. For 
any Boolean function f of n variables, we denote by lF{f) the following value 
related to the Walsh (or Fourier) transform of /: 

•^(/) = E = 2” - 2«^^(/) > 

where wt{f) is the Hamming weight of /, i.e., the number oi x G F 2 such that 

f{x) = 1. 

Definition 2 . The Walsh spectrum of a Boolean function f of n variables f is 
the multiset 

{T{f + ip^),aGFlf} . 

The Walsh spectrum of a vectorial function F from FI] into F2 consists of the 
Walsh spectra of all Boolean functions ipa ° F : x a • F{x), a yf 0. Therefore, 
it corresponds to the multiset 

{3^{q^^oF + ^0), aGFn{0},/3eF^} . 
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The security criterion corresponding to linear cryptanalysis is that all func- 
tions ip a o Fk, a yf 0 should be far away from all affine functions. This require- 
ment is related to the nonlinearity of the functions Fk- 

Definition 3. The nonlinearity of a function F from into F 2 is the Ham- 
ming distance between all F,a & FJ, a yf 0, and the set of affine functions. 
It is given by 

2"“^ — 1-£{F) where £{F) = max max \Ffpa o F (ps)\ . 

2 /3eFJ 

Proposition 3. [33,9] For any function F -.F^ ^ F"!], 

C{F) > 2^ . 

In case of equality F is called almost bent (AB). 

For a function F from F 2 into F™ , we have 

C{F) > 2t 

where the functions achieving this bound are called bent functions. It was proved 
that a function is bent if and only if it is perfect nonlinear [28,29]. 

The minimum value of C{F) where F is a function from F 2 into F 2 can only 
be achieved when n is odd. For even n, some functions with C{F) = 2t“''^ are 
known and it is conjectured that this value is the minimum [32,12]. 

3.3 Resistance against Higher Order Differential Attacks 

In a higher order differential attack, the attacker exploits the existence of a 
fc-dimensional subspace F C F 2 such that the reduced cipher G satisfies 

DvG{x) = c for all x ^Flf 

where c is a constant which does not depend on the round keys Ki, . . . Kj—i. A 
natural candidate for V arises when the degree of the reduced cipher is known. 

Definition 4. The degree of a function F from Ff into Ff is the maximum 
degree of its Boolean components: 

deg{F) = max deg{ipei ° F) 

l<i<n 

where (ei, . . . ,e„) denotes the canonical basis 0 /F 2 . 

Actually, we have 

Proposition 4. [22] Let F be a function from F 2 into F 2 of degree d. Then, 
for any {d-\- 1) -dimensional subspace V C F 2 , we have 

DvF{x) = 0 for all x G Flf . 

Note that the dimension of the smallest subspace V satisfying DyF = 0 may be 
smaller than deg(F) -|- 1. 
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4 Related Objects 

The results concerning almost perfect functions widely apply in several areas 
of telecommunications: almost perfect nonlinear and almost bent functions are 
related to metric properties of some linear codes, especially of binary cyclic 
codes with two zeros. Almost bent power functions also correspond to pairs of 
maximum-length sequences with preferred crosscorrelation. 

4.1 Links with Error-Correcting Codes 

Carlet, Charpin and Zinoviev have pointed out that both APN and AB properties 
can be expressed in terms of error-correcting codes [8] . 

Since both APN and AB properties are invariant under translation, we here 
only consider the functions F such that F{0, . . . , 0) = 0. We use standard nota- 
tion of the algebraic coding theory (see [23]). Any fc-dimensional subspace of F2 
is called a binary linear code of length n and dimension k and is denoted by [n, k] . 
Any [n, /c]-linear code C is associated with its dual [n, n — fc]-code, denoted by C^: 

C-L = {x G F”, x-c = OVcG C} . 

Any k X n binary matrix G defines an [n, fc]-binary linear code C: 

C = {xG,xG F^} 

We then say that G is a generator matrix of C. 

Let («i, 1 < z < 2”) denote the set of all nonzero elements of F2 . We consider 
the linear binary code Cp of length (2" — 1) and dimension 2n defined by the 
generator matrix 

„ _ / a\ «2 03 ■ • ■ 0:2" \ 

F(ai) F(o 2) F{a^) . . . F{a2^) ) ’ 

where each entry in F2 is viewed as a binary column vector of length n. It clearly 
appears that any codeword vaCp corresponds to a vector {a - ai + b ■ F{ai), 1 < 
* < 2"). Therefore, its Hamming weight is given by 

#{z, 1 < z < 2”, a - a^ + h- F{ai) = 1} = 2”“^ - ^F{ipb o F + (fa) ■ 

Moreover, a vector (ci, . . . , C2 ") belongs to the dual code Cp if and only if 
2" 2" 

CiOi = 0 and CiF{ai) = 0 . 

i=l i=l 

Then, we obviously have that the minimum distance of Cp is at least 3. Moreover, 
there exist three different indexes zi,Z 2 )Z 3 such that 

F{ai-^) -\- F[ai^) + F[ai^) + F[ai-^ + oii^) = 0 

if and only if Cp contains a codeword of Hamming weight 4 (or 3 if -I- -I- 

= 0). 

Therefore, we obtain the following correspondence: 
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Theorem 1. [8] Let F he a permutation from F 2 into F 2 with F{0) = 0. Let 
Cf be the linear binary eode of length 2” — 1 and dimension 2n with generator 
matrix Gp described by (2). Then, 

(i) 



C{F) = max |2" — 2wt{c)\ . 

In particular, for odd n, F is AB if and only if for any non-zero codeword 
c G Cp, 

2 "-i _ 2 ^ < wt{c) < 2"-i + 2^ . 

(ii) F is APN if and only if the code Cp has minimum distance 5. 

When the vector space F 2 is identified with the finite field F 2 » , the function F 
can be expressed as a unique polynomial of F 2 ~[X]. Now, we focus on power 
functions F, i.e., F{x) = over F 2 ™. In that case, the linear code Cp associated 
to a; is a binary cyclic code of length (2” — 1) with two zeros. 

Definition 5. A linear binary code C of length N is cyclic if for any codeword 
(co, . . . , cjv-i) in C, the vector (cat_i, cq, . • . , cn-z) is also in C. 

If each vector (cq, . . . , cn-i) G F^ is associated with the polynomial c{X) = 
CiX* in TZn = F^ [X]/{X^ — 1), any binary cyclic code of length N is 
an ideal oITZm- Since Fjv is a principal domain, any cyclic code C of length N 
is generated by a unique monic polynomial g having minimal degree. This poly- 
nomial is called the generator polynomial of the code and its roots are the zeros 
of C. For = 2" — 1, the defining set of C is then the set 

I{C) = {i G {0, • • • , 2” — 2}| a* is a zero of C} . 

where a is a primitive element of F 2 « . Since C is a binary code, its defining set is 
a union of 2-cyclotomic cosets modulo (2” — 1), Cl{a), where Cl{a) = {2^ a mod 
(2” — 1)}. Therefore, the defining set of a binary cyclic code of length (2” — 1) 
is usually identified with the representatives of the corresponding 2-cyclotomic 
cosets modulo (2” — 1). In this context, the linear code Cp associated to the 
power function F : x x'^ on F 2 ^ is defined by the following generator matrix: 

1 a ... \ 

^ 1 J 

Then, the dual code Cp consists of all binary vectors c of length (2" — 1) such 
that c GJ. = 0. The code Cp is therefore the binary cyclic code of length (2" — 1) 
with defining set {1, s}. 

4.2 Crosscorrelation of a Pair of Binary m-sequences 

A binary sequence (ui)i>o generated by a linear feedback shift register (LFSR) 
of length n has maximal period when the feedback polynomial of the LFSR is 
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primitive. Such a sequence is called an m-sequence of length (2” — 1). A binary m- 
sequence of length (2" — 1) is identified with the binary vector of length (2” — 1) 
consisting of its first (2" — 1) bits. A further property of m-sequences is that they 
are almost uncorrelated with their cyclic shifts. This property is important in 
many communication systems (as radar communications or transmissions using 
spread-spectrum techniques) since it is often required that a signal can be easily 
distinguished from any time-shifted version of itself. It is well-known that for 
any m-sequence u of length (2" — 1) there exists a unique c G F 2 « \ {0} such 
that 

Vi, 0 < i < 2” - 2, Ui = Tr(ca^) 

where a is a root of the feedback polynomial of the LFSR generating u (i.e., a is 
a primitive element of F 2 ") and Tr denotes the trace function from F 2 »» to F 2 . 

When a communication system uses a set of several signals (usually corre- 
sponding to different users), it is also required that each of these signals can be 
easily distinguished from any other signal in the set and its time-shifted ver- 
sions. This property is of great importance especially in code-division multiple 
access systems. The distance between a sequence u and all cyclic shifts of another 
sequence v can be computed with the crosscorrelation function: 

Definition 6. Let u and v be two different binary sequences of length N . The 
crosscorrelation function between u and v, denoted by 9u,v, is defined as 

Af-l 

^?u..(r)= ^(-1)“^+"^+- . 
i^O 

The corresponding crosscorrelation spectrum is the multiset 

{9u,v{t), 0 <t < N -1} . 

Since 0u,v(t) = N — 2wt{u + a^v) where a denotes the cyclic shift operator, 
the above mentioned applications use pairs of sequences (u, v) such that „(r) | 
is small for all t S {0, . . . , iV — 1}. 

If u and V are two different binary m-sequences of length (2" — 1) , there exists 
an integer s in {0, . . . , 2" — 2} and a pair (ci, C 2 ) of non-zero elements of F 2 « 
such that 



Vz, 0 < t < 2" — 2, Ui = Tr(ciO;*) and Vi = Tr(c 20 ;®*) . 

If Cl = C 2 , the sequence v is said to be a decimation by s of u. Writing ci = 
and C 2 = , the crosscorrelation function for the pair (zt, v) is given by: 

2”-2 

g _ "y ' _ -y x+x‘\) 

i 0 

where t' = j '2 -I- r. It follows that the corresponding crosscorrelation spectrum 
does not depend on the choice of j 2 . It is then sufficient to study the pairs {u, v) 
where u is a decimation by s of u. 
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Now, we show that the crosscorrelation spectrum of pairs of binary m- 
sequences is related to the Walsh spectrum of a power function. 

Proposition 5. Let n and s he two positive integers such that gcd(s, 2" — 1) = 1 
and s is not a power of 2. Let 0 < r < 2" — 2} be the cross correlation 

spectrum between an m-sequence of length (2" — 1) and its decimation by s. Let 
F be the power function x over F 2 ™. Then, for any a G F 2 , a ^ 0, we 

have 

{0.(r), Q<T<2^-2} = {F{q,^oF + ^0)-l,^Gn\{Q}} . 

Most notably, 

max |0s(r) + 1| = C{F) . 

0 < t < 2"-2 

In particular when n is odd, the lowest possible value for max^- |0 s('t) + 1| is 
2^. 

Definition 7. The cross correlation 9u,v between two m-sequences u and v of 
length (2” — 1) is said to be preferred if it satisfies 

max \0u,v(t) + 1| = 2^ . 

T 

Therefore, the decimations s which lead to a preferred crosscorrelation exactly 
correspond to the exponents s such that a; a;'* is an almost bent permutation 
over F 2 ". 

5 Relations between the Security Criteria 

Now, we establish the links between both APN and AB properties. Chabaud and 
Vaudenay [9] proved that any AB function is APN. Here, we refine this result, 
since we give a necessary and sufficient condition for an APN function to be AB. 
We use the following relation involving the Walsh coefficients of a function. 

Proposition 6. Let F be a function from Flf into F 2 . Then, we have 
Y, ^ ^"(^ooF + ¥>^) = 23"+1(2"-1) + 22"Z\ , 

aeFJ\{ 0 } / 3 eFJ 

where A = #{(x, a, b) G (F 2 )^, a yf 0, 6 yf 0, a yf 6, such that DaDi,F{x) = 0}. 
Most notably, we have 

Y ^ + >23"+1(2"-1), 

C1GF2 \{o} /3GF2 



with equality if and only if F is APN. 
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Proof. For any Boolean function f of n variables, we have [3, Prop. II. 1] 

Y. T\f + ipp) = 2- Y HDaD.f). 

/ 3 GF 2 ci,bGF2 

By applying this relation to all ipa ° F, we deduce 

«eFj\{0} /3GF~ 

= 2" E E F{DaDb{(fia O F)) 

ci^F^ \{0} Q,,b^F2 

= 2" E E F{ipa O DaDbF) 

ci^F^ \{0} Q,,b^F2 

= 2” E E ° DaDbF) - 2^” 

a,b£F2 a^F2 

where the last equality is obtained by adding the terms corresponding to a = 0 
in the sum. Now, for any a,b € Fff, we have 

^ F{ipa.O DaDbF) = E E . 

ckGF^ a£F^ xGF^ 

Using that 

Y^ (—1)“'^ = 2” if y = 0 and 0 otherwise, 

aGFJ 

we obtain 

^ o DaDbF) = 2”#{a: G F^, DaDbF{x) = 0} . 

“6FJ 

Therefore, 

S = 22"#{x, a, b G F”, DaDbF{x) = 0} - 2^" . 

Since DaDbF = 0 when either o = 0 or & = 0 or a = 6, we get 

S = 2^" [2"(3(2” - 1) + 1) + Z\] - 2^” 

= 2^”+^(2”-l) + 22"Zi . 

Since Z\ > 0 with equality if and only if F is APN (see Proposition 2), we obtain 
the expected result. 

We then derive the following theorem. 

Theorem 2. Let F be a function from into F^. Let 

A = #{(x, a, b) G (F^)^, a yf 0, & yf 0, a yf 6, such that DaDbF{x) = 0} . 



Then, we have 
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(i) 

/\ < (2" - 1)(£(F)2 -2”+^) , 

where equality holds if and only if the values occurring in the Walsh spec- 
trum of F belong to {0,±£(F)}. 

(ii) For any positive integer i such that all nonzero Walsh coefficients of F 
satisfy 

\F{ipa O F + ipp)\> I , 

we have 

A> (2"-1)(£2_2«+1) ^ 

where equality holds if and only if the values occurring in the Walsh spec- 
trum of F belong to {0,±f}. 

Proof. Let £ be a positive integer. Let J{t) denote the following quantity 
E E [^\Po.oF + ipfs)-fF^{ifo.oF + ipf^)] 

= F‘^{(pa o F + ipfj) [iF^(i^q, o F + (fis) — £^J . 

aeFJ\{0}/3eF" 

By combining Proposition 6 and Parseval’s relation, we obtain that 

J(£) = 23"+1(2" - 1) + 22”Z\ - 22"(2” - 1)£^ 

= 22"(2" - l)(2"+i - £2) + 2^”Z\ . 

Now, any term in the sum defining F(£) satisfies 

F'^{pa o F + iff}) \_F'^{ipa o F + iffj) — < 0 if 0 < \F{lPo, o F + ip/s)\ < £ 

= 0 if\F{p^oF + q,0)\ e {0,±£} 
>0 if |1 F((^q, o F + (p/ 3 )j > .^ 

This implies that all terms appearing in X{C{F)) are negative. Then, we have 

/\ < (2" - 1)(£(F)2 -2"+i) , 

with equality if and only if all terms in the sum are zero. This situation only 
occurs if the values occurring in the Walsh spectrum of F belong to {0, ±£(F)}. 
Similarly, if all nonzero Walsh coefficients of F satisfy 

\F{ipa° F + ip0)\ > £ , 

then all terms appearing in T{£) are positive. Therefore, 

/\>(2"-1)(£2_2"+1) , 



with equality if and only if all terms in the sum are zero. 
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Another proof of this result can be obtained by using the error-correcting code 
corresponding to F [6]. In that case, the proof is based on Pless identities and 
on some techniques due to Kasami [18]. As a direct application of the previous 
theorem, we derive a characterization of almost bent functions. 

Corollary 1. Let n be an odd integer and let F be a function from Flf into Flf. 
Then, F is AB if and only if F is APN and all its Walsh coefficients are divisible 
by 2^ . 

Proof. F is AB if and only if £{F) = Using Theorem 2 (i), we obtain 

that Z\ < 0. Since Z\ is a non-negative integer, it follows that Z\ = 0, i.e., F is 
APN. Moreover, the upper bound given in Theorem 2 (i) is achieved. Therefore, 
the values occurring in the Walsh spectrum of F belong to {0, ±2^"+^)/^}. This 
implies that all Walsh coefficients are divisible by 

Conversely, if all Walsh coefficients are divisible by 2^"+^^/^, then all nonzero 
Walsh coefficients satisfy 



|.F((/p„oU + ¥>/3)| . 

From Theorem 2 (ii) applied to £ = 2^”+^)/^, we obtain A > 0. If F is APN, we 
have A = 0 and the lower bound given in Theorem 2 (ii) is reached. Therefore, 
the values occurring in the Walsh spectrum of F belong to {0, ±2*^"+^)/^}. This 
implies that F is AB. 

Note that both properties of AB functions derived from the sufficient condition 
in the previous corollary have been proved in [9] . 

A first consequence of the divisibility of the Walsh coefficients of an AB 
function is the following upper bound on its degree. This bound can be derived 
from [7, Lemma 3] . 

Corollary 2. [8] Let n be an odd integer and F be an AB function from 
into F 2 . Then, 

deg(F) < . 

Therefore, there exists a trade-off between the security criteria involved by linear 
cryptanalysis and by higher order differential attacks. 

When F is a power function, F : x i->- x®, the corresponding code Cp is the 
dual of the binary cyclic code of length (2” — 1) with defining set {l,s} (see 
Section 4.1). The weight divisibility of a cyclic code can be obtained by applying 
McEliece’s theorem: 

Theorem 3. [27] The weights of all codewords in a binary cyclic code C are 
exactly divisible by 2^ if and only if £ is the smallest number such that {£ + 1) 
nonzeros of C (with repetitions allowed) have product 1. 



This leads to the following characterization of AB power functions. 
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Corollary 3. Let n he an odd integer and let F : x be a power function 

over F 2 " . Then, F is AB if and only if F is APN and 

Tl — 1 

Vm, 1 < u < 2" — 1, W 2 {us mod (2” — 1)) < — h W 2 {u) 

where W 2 {u) corresponds to the number of Is in the 2-adic expansion of u. 

Thanks to McEliece’s theorem, the determination of the values of s such that 
cc X® is almost bent on F 2 »» is reduced to a combinatorial problem. Most 
notably, this technique was directly used to prove that some power functions 
are AB [5,15]. Moreover, it leads to a very efficient method for proving that a 
given power function is not AB. For example, the APN power function x x^ 
over F25g with s = 2^® + 2^® + 2^® + 2® — 1 does not satisfy the condition of 
Corollary 3 [6]. 

These recent results lead to the following list (up to equivalence) of known 
AB permutations (Table 1). All these functions are power functions. Here, we 
only give one exponent per cyclotomic coset modulo (2” — 1). We do not mention 
the exponent corresponding to the inverse permutation (which is AB too). 



Table 1. Known AB power permutations x” on F 2 " 



exponents s 


condition on n 




2* -I- 1 with gcd(i, n) — 1 and 1 < i < (n — l)/2 




[13,30] 


2^* _ 2 » - 1 - 1 with gcd(i, n) = 1 and 2 < i < (n — l)/2 




[19] 


2^ -h3 




[5] 


2^ -1- 2^ — 1 


n = 1 mod 4 


[15] 


n-1 3n-l 

2 2 + 2 4 — 1 


n = 3 mod 4 


[15] 



When n is even, the smallest known value of C{F) for a function F from 
F 2 into F 2 is C{F) = 2"/^+^. The only known functions (up to equivalence) 
achieving this bound are power functions. Since power permutations cannot be 
APN, it clearly appears that the security criteria corresponding to differential 
cryptanalysis and to linear cryptanalysis are not so strongly related. Moreover, 
the divisibility of the Walsh coefficients of these highly nonlinear functions varies. 
In particular, the degree of such a function is not upper-bounded since there is no 
requirement on the divisibility of the Walsh coefficients. Table 2 gives all known 
power functions achieving the highest known nonlinearity and the divisibility of 
their Walsh coefficients. 

6 Conclusion 

The functions which opposes the best resistance to linear cryptanalysis possess 
a very strong algebraic structure. The AB property appears very restrictive. In 
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Table 2. Known power permutations x“ on F 2 " with the highest nonlinearity and 
highest divisibility of their Walsh coefficients 



exponents s 


condition on n 


divisibility 




2«-i _ ^ 




2^ 


[21] 


2* -I- 1 with gcd(i, n) = 2 


n = 2 mod 4 


27+1 


[13,30] 


22 i _ 2 » with gcd(i, n) = 2 


n = 2 mod 4 


27+1 


[19] 


withgcd(fc,n) = 1 


n = 0 mod 4 


27 


[12] 


n n + 2 

2 2 + 2 4 +1 


n = 2 mod 4 


27+1 


[11] 


27 + 27“^ -1- 1 


n = 2 mod 4 


27+1 


[11] 


27+27-1-1 


n = 4 mod 8 


27 


[12] 



particular, AB functions also guarantee the highest possible resistance against 
differential cryptanalysis. But, besides the APN property, they can be charac- 
terized by the divisibility of their Walsh coefficients. This particular structure 
leads to an upper-bound on their degree (it then limits their resistance against 
higher order differential attacks) and it may introduce some other weaknesses. 
Therefore, it seems preferable to use as round function a function whose nonlin- 
earity is high but not optimal. Most notably, the functions of an even number of 
variables which have the highest known nonlinearity do not present any similar 
properties. As an example, the inverse function over a finite field F 2 »» with n 
even (used in AES) offers a very high resistance against differential, linear and 
higher order differential attacks. Moreover, its Walsh coefficients are divisible 
by 4 only (which is the lowest possible divisibility). 
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Abstract. One approach to secure mobile agent execution is restrict- 
ing the agent route to trusted environments. A necessary condition for 
this approach to be practical is that the agent route be protected. Pre- 
vious proposals for agent route protection either offer low security or 
suffer from high computational costs due to cryptographic operations. 
We present two fast, hash-based mechanisms for agent route protection. 
The first solution relies on hash collisions and focuses on minimizing the 
computational cost of route verification by hosts along the route; the 
cost is shifted to the stage of route protection by the agent owner. The 
second solution uses Merkle trees and minimizes the cost of route pro- 
tection by the agent owner, so that a single digital signature suffices to 
protect the whole route; for hosts along the route, the verification cost is 
similar to the cost of previous schemes in the literature, namely one dig- 
ital signature verification per route step. The first solution is especially 
suitable for agent routes which go through heavily loaded hosts (to avoid 
denial of service or long delay). The second solution is more adapted to 
mitigating the bottleneck at agent owners who are expected to launch a 
great deal of agents. Both solutions provide independent protection for 
each route step and can be extended to handle flexible itineraries. 

Keywords: Mobile agent security, agent route protection, hash colli- 
sions, Merkle trees. 



1 Introduction 

It is increasingly difficult for individuals to take advantage of the exponentially 
growing wealth of information on the Internet. Mobile agents can be very helpful, 
as they are programs that roam the network searching for products that fit best 
buyer requirements. The mobility property raises important security issues: (i) 
it is important to protect network hosts against malicious agents; (ii) agents 
should also be protected against malicious hosts. The first problem is analogous 
to anti- viral protection, and has thus profusely been studied. The second problem 
consists of attacks to modify the route or the code of the mobile agent by a 

* This work is partly supported by the Spanish CICYT under project no. TEL98- 
0699-C02-02. 
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malicious host which may or may not be in the initial agent route. Only a few 
(non-exclusive) approaches to protecting agents against malicious hosts have 
been proposed: 

— Encrypted functions. In [16], the agent code is identified with the function 
it computes and a solution is proposed based on computing with encrypted 
functions (an extension of computing with encrypted data, [3]). This only 
works for a restricted class of functions. 

— A posteriori detection. Attacks are detected after they have happened (which 
may be too late), and upon detection, information can be retrieved and used 
to accuse the malicious host. Examples are [1,10,21]. Code watermarking [18] 
would also fall in this category. 

— Obfuscation of agent code. This is an alternative which reduces code read- 
ability and thus makes attacks unlikely. Examples can be found in [5,7,9,17]. 

— Trusted environments. Agents only visit trusted execution environments. A 
necessary condition to restrict mobility to trusted environments is that the 
agent route be protected. 

This paper contributes to the last aforementioned approach by showing effi- 
cient ways to protect agent routes. Section 2 discusses previous work. Section 3 
describes a mechanism based on hash collisions which has an extremely low 
cost in terms of verification by hosts along the route, but is more costly for the 
agent owner. Section 4 describes a solution based on Merkle trees which has 
the same verification cost for hosts along the route than previous schemes, but 
offers a lower computational cost for the agent owner. Section 5 contains some 
conclusions and shows how the proposed schemes can be used to protect flexible 
itineraries with alternative paths. 

2 Previous Work on Agent Route Protection 

In [19] a general concept of an agent route, called itinerary, is given. Flexible 
agent travel plans can be specified which allow dynamic adaptation and expan- 
sion during the execution of the agent. A shortcoming of this scheme is that it 
is vulnerable to corruption of hosts specified in the itinerary; a corrupted host 
can modify the itinerary or attack other hosts in the itinerary to cause denial of 
service to the agent. In [2], a partial solution to the above problems is outlined, 
but no countermeasures are described to prevent host addition or removal. 

In [22] nested encryptions and signatures are used to provide increased se- 
curity to the agent route. The basic idea is to sign and encrypt host addresses 
iteratively to attain a high level of security. Let PKi be the public key of the 
i-th. host and let S'o(-) be the signature function of the agent owner Hq. Then 
the whole route r is coded as 

r = EpKi [772, -S'o(i7i, mi, 772, t, [• • •]), 7 :^p;c2 [' ' ']] 

where, for t = 1 to n — 1, 

EpKi [•••] = 7?Picj77i+i, S'o(77i, m^, 77j+i, 7, EpKi^^ [■ ■ •]), E^ppTi+i [• • •]] 
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and EpK„["'\ = Epk„[Hq, So{Hn,mm In the above expressions, Eli is 

the IP-address of the i-th host, rrii is the method (code) to be run at Hi, Hg is 
the IP-address of the agent owner (host which originates the agent) and t is a 
timestamp (IP stands for Internet Protocol). 

The above coding allows the route to be enforced as follows. The first host Hi re- 
ceives r and decrypts it using its private key to obtain So{Hi,mi,H 2 ,t,EpK 2 [■ ■ •])> 
H 2 and EpK 2 [' ■ •]• Using the public key of the agent owner, Hi can verify that 
the next host address H 2 and the value of the rest of the route Epk 2 [• • •] were 
included in the route by the agent owner. The inclusion of his own address Hi 
and method mi in the signature allows Hi to detect that he was also included 
in the route by the agent owner and that the method mi being enclosed with 
the route is what the agent owner meant to be run at Hi (this is actually an 
enhancement over the original proposal [22], which did not include the methods 
in the signatures). The timestamp t is used to include an expiration date to pre- 
vent re-use of older routes of the same agent by malicious hosts. Beyond these 
validations. Hi cannot obtain any additional knowledge on the rest of the route 
since all remaining information is encrypted under the public key PK 2 of i? 2 - 
Then Hi sends the agent to H 2 together with 



n — EpK2 [H^, Sq{H2, m 2 , i?3, t, EpK3 [■ • ■]),EpK2[- • •]]] 



The above decryption and verification process is repeated by H 2 and so on up 
to Hn- After n steps, the agent is returned by Hn to Hq. The dark point of 
proposal [22] is the high processing cost of nested encryptions and signatures 
at each host along the route (one decryption and one signature verification are 
needed) . 

The approach described in [11] is similar to [22] in that it uses one encryption 
and one signature for each step of the route. In this case, encryptions are nested, 
whereas signatures are not. This scheme can be generalized to accomodate al- 
ternative itineraries. 

In the next two sections, two mechanisms are described which substantially 
reduce the computational overhead of the above proposals, while still preserving 
the feature that route verification at Hi does not require any information on 
previous route steps (in particular methods rrij for j < i can be discarded).^ 

3 Reducing the Computational Cost of Route Verification 



In comparison with proposals recalled in Section 2, the mechanism proposed 
in this section focuses on reducing the cost of route verification at the expense 
of making route protection more costly for the agent owner. This is especially 
useful if some of the hosts in the route are usually overloaded with computation 

^ Note that a single signature on the concatenation of all route steps is very efficient 
from a computational viewpoint, but forces the agent to convey all route steps (with 
their methods rrii) until the route is finished. 
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(verifications have to be fast to avoid long delay or denial of service). A real- 
istic case where this may happen is when the agent route goes through hosts 
containing massively accessed Internet or database search engines. 

The scheme proposed here borrows from the MicroMint micropayment sys- 
tem [15] the idea of replacing digital signatures with collisions of a hash func- 
tion; even if not explicitly mentioned, all hash functions used in what follows are 
assumed to be one-way and collision-free (see Appendix). For implementation 
purposes, one-way hash functions like SHA [13], MD5 [14] or DES [12] are rea- 
sonable choices. The main advantage of replacing digital signatures with hash 
functions is the speed gain. According to figures by Rivest, if computing an RSA 
signature takes time t, verifying an RSA signature with low public exponent can 
be done in t/100 and, more important, evaluating a hash function can be done 
in t/10000. 

Based on the above ideas, we propose to extend the application of hash col- 
lisions from micropayments to agent route protection. Basically, the problem is 
the same: instead of fast verification of coins by a payee, we need fast verification 
of route steps by the hosts along the route. 

We assume in what follows that, for each host Hi, the agent owner Hq has 
set up a symmetric encryption key ki for secret communication from Hq to Hi. 
A way to do this is for Hq to generate ki and send EpXi{ki) to Hi, where PKi 
is the public key of host Hi^. The key ki can be used by Hq for all routes she 
schedules through Hi. This allows public-key encryption to be replaced with 
symmetric encryption; an advantage is that, with the higher speed of symmetric 
encryption, we can afford to encrypt the code methods to be run at each host, 
which results in higher confidentiality. 

Also, one-way hash functions Fm and Ft are used whose outputs are, respec- 
tively, strings of lengths m and t. Standard hash functions, such as SHA, MD5 
or DES, may have more output bits than the required m and t; in that case, 
take the m, resp. t, lower bits as output. 

Algorithm 1 (Route protection with hash collisions) 

1. [Notation] The agent owner chooses n hosts represented by their IP- 
addresses Hi, - ■ ■ Hn- Let Hq he the address of the agent owner. Let ki be 
the symmetric encryption key set up for secret communication from Hq to 
Hi. Let mi he the code to be run at Hi. 

2. [Encryption] The agent owner computes Ui = Ek^^Hi-i, Hi, Hipi,mi) for 
i = 1, • • • , n — 1. For i = n, compute U„ = Ek„{Hn-i, Hn, Hq, m„). 

3. [Collision computation] For i = 1 to n, Hq computes a k-collision (xi_i, 

• • • , a^i.fc) such that 

Fm{a^i.l) — Fni{Xi^2) = * • • = Fjn{Xi^k) — Vi 

^ We do not require that Hq authenticate itself to Hi when setting up ki. Although 
authenticating the origin of ki would certainly render route step authentication 
straightforward, it would burden Hi with something like a signature verification, 
which is against the main goal of the scheme discussed here (minimizing computa- 
tion at route hosts). 
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where yi is an m-bit string such that its t high-order hits match Ft{Ui). 

Algorithm 2 (Route verification with hash collisions) 

1. [Start of route] The agent is sent by Hq to the first host of the route, 
namely Hi, together with the n k-collisions (one for each route step) and Ui 
for i = 1, - ■ ■ ,n. 

2. [Operation at host Hi] Hi takes the i-th k-collision and checks that all 

of its k values actually hash to the same yi. Then Hi checks that Ft{Ui) 
matches the t high-order hits of yi. If the check is OK, Hi decrypts Ui and 
obtains {Hi-i,Hi,Hi+i,mi) fori < n or i?o, fori = n. At 

this moment. Hi runs mi and, after that, forwards Ui+i,- ■ ■ ,Un along with 
the k-collisions corresponding to the remaining route steps to i/i+i (or to 
Ho ifi = n). 

3. [End of route] The route ends at the agent owner Hq. 



3.1 Computational Cost 

For a host Hi along the route, the computational cost of route verification fol- 
lowing Algorithm 2 is reduced to k hash computations and one symmetric de- 
cryption. 

For the agent owner, the cost is dominated by the computation of /c-collisions. 
Objections have been raised against the high cost of fc-collision computation in 
the case of large-scale MicroMint [20] . We next give a quantitative cost analysis 
and illustrate the practicality of using /c-collisions for our application with a 
realistic example. 

Lemma 1. If N hash values are computed, the probability of obtaining at least 
a k-way collision of length m bits with the t high-order hits fixed is 




Proof. Computing a hash value y = Fm{x), where the length of y is m bits, is 
analogous to the problem of tossing a ball x at random into one of 2™ bins (the 
possible values of y). If we call a ball x “good” when the t high-order bits of y 
match a fixed pattern, then N hash computations will yield an expected number 
N' := A2“* of good balls to be tossed at random into one of 2™~* bins (the 
possible values of the m — t low-order bits of y) . The probability of obtaining 
at least one /c-way collision is 1 minus the probability of all bins getting k — I 
or less balls. The probability of a given bin getting a ball in a given toss is 
p := 2‘-™. If N'p = A2-'" < 5, p < O.I and N' > 30 (equivalently, N > 2*30), 
the probability that a bin gets A: — 1 or less balls can be computed using a Poisson 
approximation : 



P{k — 1 or less balls in a bin) 



fc-i 

= e~^'P 

z=0 




( 2 ) 
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Now the probability of getting at least one fc-collision is 

P(at least one fc-collision) = 1 — {P{k — 1 or less balls in a bin))^ (3) 

By substituting Expression (2) in Expression (3), we obtain Expression (1). □ 

Example 1. In Algorithm 1, let Fm be the low-order m bits of the output of the 
SHA hash function; formally: 

Fm{x) = [SHA{x)]i...m 

Similarly define Ft as [SF[A{x)]i...t. According to recent figures given by [20], 
current custom chip technology allows 2^^ hashes to be computed per second 
per dollar of chip cost. Assume, as [15], that the agent owner spends $100,000 
in custom chips, so that she can evaluate Fm around 2^® times per second (we 
approximate 2^^ x 100,000 by 2^® for ease of calculation). Take k = A and 
assume the agent owner is ready to spend 2® seconds (4 minutes) to compute 
a 4-collision; in that time, N = 2'^'^ hash values can be computed. If m = 52 
and t = 21 are used. Lemma 1 gives the probability of the agent owner getting 
at least one good 4-collision of Fm (with the t higher-order bits fixed) in four 
minutes: 



1 _ [e-2-= (1 + 2-5 + + ^^)]2" « 1 - 0.716 • 10-56 (4) 

Thus, a good 4-collision will be obtained by the agent owner in four minutes 
with extremely high probability. □ 

Thus, it can be seen from Example 1 that coming up with a 4-collision with 
fixed t high-order bits is costly but by no means unaffordable for the agent owner 
5. This is compensated by the cost reduction in route verification (a relevant 
figure if the route goes through very busy hosts). 



3.2 Security of the Scheme 

We will show in this section that the following properties for agent route protec- 
tion identified as relevant for agent route protection in [22] (see Section 2) are 
fulfilled by the above scheme: 

PI. Hosts should not he able to modify the agent route. 

P2. Every host should he able to check it was included in the agent route. 

P3. Every host should only see the previous host and the next host in the route. 
P4. Every host should he able to authenticate the host the agent is coming from. 
P5. A host should not he able to replace a route by older routes of the same 
agent. 

5 Unlike for MicroMint, finding one good collision at a time is enough in our applica- 
tion, so the storage and sorting costs additional to the chip cost are much lower. 




Mobile Agent Route Protection through Hash-Based Mechanisms 



23 



The basic security of the above scheme rests on two defense lines: 

— The difficulty of computing hash collisions of Fm with standard hardware 

— For fixed Ui, the unfeasibility of finding yf Ui such that Ft{Ui) = Ft{U[) 
and such that decryption of U[ under fc- yields F[[ as the second of the three 
IP addresses obtained, where k[ is the key shared between the agent owner 
and the host with IP address H[. 

With proper parameter choice, the difference between the custom hardware 
of the agent owner and the standard hardware of a typical user is enough to 
guarantee efficient computation of m-bit fc-collisions for the former and difficult 
computation for the latter. The following example illustrates this point. 

Example 2. In [15], it is assumed that a 1995 standard workstation could perform 
2^^ hash operations per second. Using Moore’s law (computer hardware gets 
faster by a factor of 2 every eighteen months), a more realistic figure for a 2001 
standard workstation is that it can perform 2^^ • 2'^ = 2^® hash operations per 
second. 

With the above choice m = 52, f = 21 and fc = 4, assume 2^® seconds (more 
than one year time) are devoted to compute a 4-collision; in that time, N = 2^® 
hash values can be computed by an attacker owning a standard workstation. 
Lemma 1 gives the probability of the attacker getting at least one good 4-collision 
of Fm (with the t higher-order bits fixed) in 2^® seconds: 

l-[e"2 (l-b2~^-b ^ -b ^ ^ ^ )]^ « 1 - 0.9987008 = 0.0012992 (5) 

Thus, the probability of forging a good 4-collision in one year time is very low. 
As computer hardware gets faster, slight increases of k may be needed in order 
for fc-collisions to be computable by the agent owner and not by typical users. □ 

Regarding the second defense line, for a fixed Ui, consider the feasibility of 
finding U' yf Ui such that Ft{Ui) = Ft{U'i) and such that decrypts into a valid 
IP address H[ when being decrypted by a host H[ under its key k[. Note that 
it does not make sense for Hi to try to forge a U[ yf Ui (this does not cause any 
deviation in the route); nor does it make sense for a host H[ to try to replace 
Ui with a different U[ which decrypts into H[ as second IP address when using 
the key fc' shared between H[ and the agent owner. What makes sense is for a 
host Hj to try to forge [/' yf Ui, for j yf v, this could alter the i-th step of the 
planned route. Thus, the attacker does not know the encryption key fc' that will 
be used by the host iL' at the t-th step of the altered route. In this case, the best 
strategy is to randomly look for a U' yf Ui that satisfies Ft{Ui) = Ft{U-) and 
then hope that decryption of under fc' will yield the 32 bits corresponding to 
the IP address iJ' in the correct positions. An attempt to meeting this second 
condition with a random [/' will succeed only with probability 2“®^. Thus, a huge 
number of attempts are likely to be needed. On the other hand, each attempt 
requires finding a f7' colliding with Ui under Ft, and then decrypting U'; with 
proper parameter choice, finding a colliding [/' takes a non-negligible computing 




24 



J. Domingo-Ferrer 



time (see Note 1 below), which makes it impractical to perform a huge number 
of attempts. 

Note 1 (On satisfying FtfUi) = Ft(U()). If Ft is one-way, a U( yf Ui such that 
Ft{U[) = Ft{Ui) must be looked for at random. The probability of coming up 
with a good U[ is analogous to the probability of hitting a fixed bin when ran- 
domly tossing a ball into one of 2‘ bins; thus this probability is 2“*, which means 
that 2* hash computations will be needed on average to find a suitable U(. As- 
suming t = 21 and a processing power of 2^® hash values per second as above, 
this means 8 seconds for a standard user to find U(. 

Now let us check PI through P5 stated above. 

PI. To modify the agent route, at least one step Ut should be modified into a 
[/' yf Ui by some attacker who does not know how to decrypt Ui nor [/' (see 
discussion above). This has been shown to be computationally infeasible 
earlier in this section. 

P2. Host Hi decrypts Ui using the key ki and should obtain three IP N ad- 
dresses, of which the second one should be its own address Hi. If this is not 
so, then Hi was not included in the route by Hq. 

P3. Decryption of Ui allows Hi to learn the addresses of and Hi+i. The 
remaining addresses of the route are encrypted in Uj, for j ^ i, with keys 
kj unknown to Hi. Thus, the rest of hosts in the route remain undisclosed 
to Hi. 

P4. This property can be satisfied only if IP communication between hosts is 
authenticated. In this case, every host Hi knows which is the actual host 
H'i_i the agent is coming from. On the other hand, decryption of Ui provides 
Hi with the IP address of the host i?i_i they agent should come from. In 
this way. Hi can detect whether H[_^ yf 
P5. To satisfy this property, a timestamp or an expiration date t should be 
appended by the agent owner to each tuple {Hi-i, Hi, Hi^i,mi) before 
encrypting the tuple into Ui. 



4 Reducing the Computational Cost of Route Protection 

The main thrust behind the proposal of Section 3 was to reduce the verification 
cost. If the agent owner is very busy launching a lot of agents each on a different 
route, the priority may be to reduce the cost of route protection with respect 
to previous proposals. This is what is achieved by the mechanism presented in 
this section: as compared to conventional schemes recalled in Section 2, route 
protection is faster and route verification requires the same amount of work (one 
signature verification per step). 

The mechanism discussed here uses binary Merkle trees as basic tool. Binary 
Merkle trees are trees constructed as follows. Each leaf is a statement plus the 
hash of that statement. The hash values of pairs of siblings in the tree are hashed 
together to get a hash value for their parent node; this procedure iterates until 
the hash value RV of the root node of the tree has been obtained. We use Merkle 
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trees to construct signatures for each step of the route in a similar way they are 
used in [6] and [4] to construct public-key certificates. The main advantage of 
Merkle trees is that one signature on the root node of the tree allows independent 
integrity verification for all leaves, provided that the hash function used is one- 
way and collision- free. 

Suppose the agent owner has to sign the steps of a route or of several routes, 
where the t-th step of the route is {Hi-i, Hi, that is, the IP addresses 

of three consecutive hosts plus the method to be run at host Hi (just like in the 
mechanism described in Section 3). 

The algorithm below uses a one-way collision-free hash function F and allows 
the agent owner to sign all the steps corresponding to a route with a single digital 
signature. 

Algorithm 3 (Route protection with Merkle trees) 

1. [Notation] Let the IP addresses of the hosts along the route be Hi, - ■ ■ , i?„. 
Let ki he a symmetric encryption key set up for secret communication from 
the agent owner Hq to Hi 

2. [Encryption] The agent owner computes Ui = Eki{Hi-i,Hi,Hi+i,mi) for 

i = 1, • • • ,n - 1. For i = n, compute i/„, i?o, m„). 

3. [Merkle tree computation] Hq computes a binary Merkle tree by taking 
as leaves the statements Ui and their hash values F{Ui), for i = 1 to n. 

4- [Signature] After creating the Merkle tree, its root value RV is digitally 
signed into Sq{RV) by the agent owner by using her private key. 

Define the ver-path for a route step Ui to be the path from the leaf containing 
(Ui,F{Ui)) to the root RV, together with the hash values needed to verify that 
path {i.e., the hash values of siblings of nodes along that path). Note that the 
length of the ver-path equals the height of the tree for a leaf and grows only 
logarithmically with the number of leaves. 

Let us now detail the route verification algorithm: 

Algorithm 4 (Route verification with Merkle trees) 

1. [Start of route] The agent is sent by Hq to the first host of the route, that 
is Hi, together with all route steps Ui, for i = 1, • • • , n, and the Merkle tree 
for the whole route with signed RV. 

2. [Operation at host Hi] Hi takes the i-th route step Ui, extracts its ver- 
path from the Merkle tree and verifies this ver-path (by recomputing all in- 
termediate hash values starting from (JJi,F{Ui)) down to the root). Then 
Hi checks whether the root value recomputed using Ui and its ver-path are 
the same RV signed by Hq. If the check is OK, Hi decrypts Ui and obtains 
{Hi_i,Hi,Hi+i,mi) for i < n or (iL„_i, iL„, iLo, m„) for i = n. At this 

^ As in the previous scheme, we do not require here that Hq authenticate itself to Hi 
when setting up ki (even if this would make route step authentication nearly trivial). 
The reason is that this scheme aims at minimizing the computation at Hq. 
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moment, Hi runs mi and, after that, forwards to i?i+i (or to Hq if i = n) 
Ui+i, ■ ■ ■ ,Un along with the part of the Merkle tree needed to verify the re- 
maining route steps (nodes which do not belong to any ver-path of remaining 
steps can he pruned). 

3. [End of route] The route ends at the agent owner Hq. 

4.1 Computational Cost 

For a host Hi along the route, the computational cost of route verification using 
Algorithm 4 is a number of hash computations equal to the length of the ver-path 
for step i (typically a one-digit figure), plus one signature verification and one 
symmetric decryption. According to the figures by Rivest mentioned in Section 3, 
a signature verification takes as long as 100 hash computations, so the route 
verification cost is essentially the cost of one signature verification (just like for 
previous schemes described in Section 2). 

For the agent owner, the cost consists of the hash computations needed to 
create the Merkle tree (or update it, if the same tree is shared by all routes), 
plus the signature on the root value RV . Since computing a digital signature 
typically takes as long as 10000 hash computations, the cost is essentially one 
digital signature for the whole route. This is much lower than the cost for schemes 
in Section 2, which required one digital signature per route step. 

In addition to reducing the number of signatures for route protection, Merkle 
trees allow mobile agents to convey the protected route in a compact way. Inde- 
pendent protection of each route step would require the agent to initially convey 
one signature per step, that is 1024n bits for an n-step route (assuming 1024-bit 
RSA signatures). Storing the route as a binary Merkle tree with one leave per 
step requires one hash value per tree node and a single signature for the whole 
tree; this makes 1024-1- 160 * (2n— 1) bits to be conveyed by the agent, assuming 
SHA is used as hash function. This is substantially less than 1024n bits. 



4.2 Security of the Scheme 

Using Merkle trees to extend a single digital signature to a collection of messages 
is not new [8,6]. Provided that the hash function used is one-way and collision- 
free, there is no loss of security with respect to signing messages individually. Let 
us check for this scheme the security properties PI to P5 discussed in Section 3.2 
for the hash collision scheme. 

PI. To modify the t-th step, Ui should be modified into U) yf Ui. This would re- 
quire finding a ver-path for U) such that its verification yields the same root 
value obtained from verification of the ver-path of Ui. If the hash function 
used is one-way and collision-free, this is computationally infeasible. 
P2,P3,P4,P5. Same comments as in Section 3.2. 




Mobile Agent Route Protection through Hash-Based Mechanisms 



27 



5 Conclusions and Extension to Flexible Itineraries 

One approach to secure mobile agent execution is restricting the agent route to 
trusted environments. A necessary condition for this solution to be practical is 
that the agent route be protected. We have proposed hash-based schemes which 
try to improve computational efficiency without degrading security: 

— The mechanism based on hash collisions concentrates on making route veri- 
fication very lightweight, while route protection stays somewhat costly. This 
mechanism is very appropriate for agents going through very busy hosts 
(these could deny service if verification was too time-consuming). 

— The mechanism based on Merkle trees aims at reducing the computational 
work carried out by the agent owner to protect a route. This mechanism 
is especially suitable when the agent owner is the bottleneck, as it might 
happen for very busy agent owners who must launch large number of mobile 
agents each on a different route. 

Both mechanisms presented here can be extended to flexible itineraries in the 
sense of [19,11]. Since each route step is independently coded (either as a hash 
collision or as a tree leaf), we could think of including several alternative paths 
going from a host Hi to another host Hj along the route. To do this, code all 
steps of the alternative paths. When choosing one particular path at a junction, 
the information (including methods) related to steps in alternative paths does 
not need to be conveyed by the agent to the next hosts in the route. Coding all 
alternative path steps substantially increases the route protection work in the 
scheme based on hash collisions (a new collision is needed for each route step). 
For the Merkle tree scheme, the computational overhead of including alternative 
paths is negligible: adding more leaves to the Merkle tree is fast and does not 
even significantly increase the length of ver-paths. 
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Appendix. Hash Functions and the MicroMint System 

Hash functions are widely used in cryptography to perform digital signatures. 
A hash function, sometimes called message digest, is a function F that takes a 
variable-length input string x and converts it to a fixed-length output string y. 
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A hash function F is said to be computationally one-way if it is easy and fast 
to compute the hash y = F{x) but, given y, it is hard to compute x such that 
y = F{x) . A hash function F is said to be collision- free if it is hard to find two 
x,x' such that x ^ x' and F{x) = F{x'). 

MicroMint [15] is a system for low- value payments (micropayments) where 
the coins are not digitally signed by the bank (or minting organization) . Instead, 
the bank computes coins as fc-way collisions, i.e. k values whose hash images 
collide for a prespecified one-way hash function F. More formally, a coin is 
represented by (xi, ■ ■ ■ ,Xk) such that 

F{xi) = F{x 2 ) = ■■■ = F{xk) = y 

where y is an m-bit string. Increasing k has the dual effect of increasing the 
computation needed to find the first collision, and also accelerating the rate of 
collision generation once the first collision has been found; actually, fc = 4 is 
recommended by the MicroMint authors. 

The verifier of a coin (the payee) accepts it as valid if it is a fc-way collision 
and the t high-order bits of y match a value z advertised by the bank at the 
start of the current validity period. Thus verification only requires computing k 
hash values. 




A New Anonymous Fingerprinting Scheme 
with High Enciphering Rate 



Minoru Kuribayashi^ and Hatsukazu Tanaka^ 

^ Division of Information and Media Science, 
Graduate School of Science and Technology, Kobe University, 
1-1 Rokkodai-cho, Nada-ku, Kobe, Japan 657-8501 
minoru@es3 . eedept .kobe-u. ac . jp 
^ Department of Electrical and Electronics Engineering, 
Faculty of Engineering, Kobe University, 

1-1 Rokkodai-cho, Nada-ku, Kobe, Japan 657-8501 
tanakaSeedept .kobe-u. ac . jp 



Abstract. We propose a new anonymous fingerprinting scheme using 
Okamoto-Uchiyama cryptosystem [1]. In the previous schemes [2]-[4] the 
enciphering rate is so small that it seems very difficult to implement 
for any applications. In order to improve the rate, we have applied the 
Okamoto-Uchiyama cryptosystem for our fingerprinting protocol. As the 
results, a buyer can commit a fingerprint to a merchant being embedded 
in a digital content anonymously and efhciently, and then the amount of 
encrypted data is controlled in a reasonable size. The security can also 
be protected for both of a buyer and a merchant in our scheme. 



1 Introduction 

According to the development of the Internet, multi-media become to treat dig- 
ital contents on the network. It enables us to purchase digital contents via a net 
easily. However, it causes several problems such as violation of ownership and 
illegal distribution of the copy. Watermarking [5] is one of the effective schemes 
to solve these problems. It enables the owner to embed some information in the 
contents and to extract it, and the applications can be classified by a kind of 
embedded information as follows. When the information indicates a copyright 
owner, it can be applied for the ownership protection. A fingerprinting scheme 
embeds the information related to a buyer, and enables a merchant to trace the 
buyer from the redistributed copy. First a symmetric fingerprinting scheme has 
been proposed. In the scheme an original merchant embeds the buyer’s identity 
in his/her contents by himself/herself. Therefore, the merchant can not prove the 
buyer’s treachery to anyone. To solve the problem, some cryptographic meth- 
ods were applied for an asymmetric fingerprinting scheme [6]. Furthermore, an 
anonymous fingerprinting scheme [2] was introduced to solve the condition that 
electronic market places should offer to the customers the same privacy as the 
real-world market places. 
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The concept of anonymous fingerprinting introduced in [2] has been presented 
only a scheme using general theorems. The explicit construction was shown in [3] 
and [4] which are based on digital coins. Since all operations are simple compu- 
tations such as modular multiplications and exponentiations, it seems easy to 
implement for a real application. However, from the point of enciphering infor- 
mation rate, the efficiency is very bad. If one uses the fingerprinting scheme for 
music, movie, etc., the amount of data to be sent will become incredibly large. 
Therefore, the problem is how to embed a fingerprint in the digital content 
efficiently. 

In this paper we propose a new construction scheme of anonymous finger- 
printing that overcomes the above drawback by exploiting Okamoto-Uchiyama 
cryptosystem [1]. Since it has a homomorphic property, the multiplication of en- 
crypted fingerprint and digital content is equivalent to embed a fingerprint in the 
digital content. The property can make a merchant embed an buyer’s identity 
information in the ciphertext of his/her contents. If the buyer can convince the 
merchant that the sent ciphertext really includes his/her identity, the anonymity 
of the buyer can be established. The trade between a buyer and a merchant is 
executed as follows. The buyer encrypts a fingerprint and commits it to the mer- 
chant using zero-knowledge proofs. The merchant embeds the received data in 
his/her encrypted digital content and returns it to the buyer. Finally the buyer 
decrypts and gets the fingerprinted content without disclosing the fingerprint 
to the merchant. As the results, only the buyer gets the fingerprinted content 
unless he/she redistributes it. Our main contribution is the achievement of a 
better enciphering rate than the conventional ones [2]- [4]. 

2 Preliminary 

In this section we introduce some basic techniques used in our scheme. First we 
review and classify the fingerprinting techniques. Then bit commitment schemes 
that are exploited in the conventional scheme are reviewed, and some inherent 
problems are disclosed. Finally the Okamoto-Uchiyama public-key cryptosystem 
is summarized in order to refer the encryption and decryption functions, and 
their properties. 

2.1 Fingerprinting 

Digital contents such as image, music, movie, etc. are easily copied without any 
degradation. Fingerprinting is a cryptographic scheme for the copyright protec- 
tion of digital contents assisted by a watermarking technique. And the scheme 
can prevent people from executing illegal redistribution of digital contents by 
making it possible for the merchant to identify the original buyer of the redis- 
tributed copy, where we call him/her a “traitor”. The fingerprinting schemes can 
be classified into the following three classes. 

Symmetric: The operation to embed a fingerprint is performed only by a mer- 
chant. Therefore, he/she cannot convince any third party of the traitor’s 




32 



M. Kuribayashi and H. Tanaka 



treachery even if he/she has found out the identity of a traitor in the con- 
tent. 

Asymmetric: Fingerprinting is a interactive protocol between a buyer and a 
merchant. After the sale, only the buyer obtains the data with a fingerprint. 
If the merchant has found the fingerprinted copy somewhere, he/she can 
identify the traitor and prove to the third party. 

Anonymous: A buyer can purchase a fingerprinted content without informing 
his/her identity to a merchant, but the merchant can identify the traitor 
later. It also retains the asymmetric property. 

Pfitzmann et al. [2] has constructed an anonymous fingerprinting system 
by seven protocols; Registration center key distribution, Registration, Data ini- 
tialization, Fingerprinting, Identification, Enforced identification and Trail. Our 
result is contributed to the Fingerprinting protocol, namely it is how to embed 
a fingerprint in a digital data anonymously at two-party protocol. 

2.2 Bit Commitment Scheme 

In the anonymous fingerprinting scheme, a buyer and a merchant jointly embed 
a fingerprint. First, the buyer encrypts a fingerprint and sends it to the mer- 
chant. Then the merchant verifies that the received ciphertext is made from the 
real fingerprint, and embeds it in his/her encrypted content. Finally, the buyer 
receives the encrypted and fingerprinted content and decrypts it. After the pro- 
tocol, only the buyer gets the fingerprinted content without disclosing his/her 
identity. Here, one of the most important things is how to embed the encrypted 
fingerprint in the encrypted content. To accomplish it, Pfitzmann et al. [3], [4] 
exploit two commitment schemes. One is applied for the verification that the 
commitment really includes the fingerprint to be embedded and the other is for 
the embedding of the fingerprint in the merchant’s contents. The former is based 
on the discrete logarithm problem, and the latter is on the quadratic residues [7] 
of which security depends on the difficulty of factoring n. Though an encrypted 
fingerprint can be embedded in the encrypted content, the enciphering rate is 
very small because the commitment can contain only one-bit message in log n- 
bit ciphertext. To improve the rate, we propose a new method based on the 
Okamoto-Uchiyama cryptosystem [1] . 

2.3 Okamoto-Uchiyama Cryptosystem 

Let p and q be two large primes (|p| = \q\ = k bits) and N = p^q. Choose 
g G (Z/AZ) randomly such that the order of gp = g^~^ mod is p, where 
g.c.d.{p, g — 1) = 1 and g.c.d.{q, p — 1) = 1. Let h = g^ mod N and a function 
L{x) = (x — l)/p. Here a public key is (N, g, h, k) and a secret key is (p, q). 

The cryptosystem, based on the exponentiation modA, is constructed as 
follows. 
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Encryption: Let m (0 < m < 2*“^) be a plaintext. Selecting a random number 
r G (Z/NZ), a ciphertext is given by 

C = g^^h^ (modN). (1) 

Decryption: Calculate first Cp = mod and then 

m = (modp), (2) 

L[gp) 

We denote the encryption function E{m, r) and decryption function D(C). 
Three important properties of the scheme are given by the following PI, P2 and 
P3. 

PI. It has a homomorphic property : if mo + mi < p, 

E(mo, ro) • E(mi, ri) = E(mo + mi, ro + ri) (mod A^). (3) 

P2. It is semantically secure if the following assumption, i.e. p-subgroup as- 
sumption, is true: E(0, r) = mod N and E{1, r') = gh'' mod N is com- 
putationally indistinguishable, where r and r' are uniformly and indepen- 
dently selected from Z/NZ. 

P3. Anyone can change a ciphertext, C = E(m, r), into another ciphertext, 
C = CN mod N, while preserving plaintext of C {i.e., C = E{m, r")), 
and the relationship between C and C can be concealed. 

The notation used here is applied for our proposed scheme in the following 
section. 

3 Proposed Scheme I 

The idea of our proposed scheme is to exploit the Okamoto-Uchiyama cryptosys- 
tem for anonymous fingerprinting. If we assume that a fingerprint is denoted by 
a number mo and a digital content is given by a number mi, then a fingerprinted 
item becomes mg -I- mi from the property PI. In our scheme a buyer B can com- 
mit his/her identity to a merchant Ad as a fingerprint without informing the real 
value, and A4 can embed the fingerprint in the content at the enciphered form. 
After receiving the encrypted and fingerprinted content, B decrypts it, but can 
not remove the fingerprint. 

3.1 Fingerprinting Protocol 

The anonymous fingerprinting protocol is executed between a buyer B and a 
merchant At. B commits his/her identity, id = (0 < j < £ — 1) to At 

the enciphered form, corrij, and At encrypts his/her content A (0 < i < L — 1) 
and multiplies it to the received com^ . We assume that B has already registered 
at a center TZC and sent At the registration proof and his/her identity proof 
W = g^^ mod N . Under the assumption, the fingerprinting protocol is given as 
follows. 
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[ Fingerprinting ] 

Step 1. M generates a random number a(2^ < a < N) and sends it to B. 

Step 2. B decomposes a into £ random numbers aj to satisfy the following 
equation. 

e-i 

3=0 

A bit commitment of each Wj is calculated as 

coruj = (mod N), (5) 



and sent to A4. 

Step 3. To verify the commitment, A4 calculates 



y = /i“ (modA^), 



(6) 



and makes sure that the following equation can be satisfied. 

= W ■ V (mod JV) (7) 

3 



Step 4. A4 generates L random numbers G {Z/NZ) and embedding intensity 
T of even number. Then, in order to get the encrypted and fingerprinted 
content, M calculates 



elsewhere 



_ ( g^*h^' • comj ■ g 2 (mod N) marking position 
1 (mod N) 

and sends it to B 

Step 5. Since the received Yi is rewritten as 



(8) 



Y- — f 2 (mod N) marking position 

* 1 5^* (mod N) elsewhere, 

B can decrypt Yi to get the plaintext. 

_ f li + Twj — ^ (mod p) marking position 
* \ li (mod p) elsewhere 



(9) 



( 10 ) 



On the deciphered message, if wj = 1, then T/2 has been added to A, and if 
Wj = 0, then T/2 has been subtracted from A. As the characteristic is suitable 
for several watermarking schemes like [8], our scheme can be applied easily. 

Remark 1. If we regard wj as a message and aj as a random number, then comj 
can be shown by E{wj, aj) and comj by E{Twj, Taj) because 

comj = {g^^h‘^^)'^ {mod N) 

^gTwif^Tai (jnodiV) 

= E{Twj,Taj). 



( 11 ) 
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In Eq.(8), = E{Ii — T/2, bi) can be regarded as Ad’s enciphered con- 

tent, and then from the property PI at the marking position can be rewritten 
as 

Yi = E{Twj, Taj) ■ E{Ii - f , bi) 

= E{Ii + Twj — Taj + bi) (12) 

Here from the subsection 2.3, the message li — T/2 must satisfy an inequality 
0 < Ii — T/2 < 2^“^. If Ad use li as a pixel value directly, the suitable pixel that 
satisfies the above inequality can be easily selected to embed a fingerprint. How- 
ever, if Ad applies the transformed coefficients, the message should be modified 
for the adaptive data structure. 

3.2 Security for the Merchant 

In order to check the security, we consider some possible attacks. B may be able to 
forge his/her identity as he/she has not proved that the values wj {0 < j < £—1) 
are binary in the fingerprinting protocol. To solve the problem, the following 
additional protocol should be performed. 

[ Binary Proof ] 

Step 1. In order to check corrij, Ad generates random numbers tj and cj such 
that tj + Cj is less than 2^“^, calculates 

Qj = corrij ■ g‘^^ (mod N), (13) 

and sends Qj to B. 

Step 2. B decrypts the received Qj as 

D{Qj) = Wjtj + Cj (mod N) (14) 

and then he/she generates a random number rj and calculates 

coirij = corri^f'^^^ ■ (mod N) (15) 

using the values Cj and Qj or tj + Cj. The detail is shown in the following 
Remark 2. 

Step 3. After Ad receives corrij, he/she sends tj and Cj to prove that Qj has 
been really produced using them. 

Step 4. If Eq.(13) is satisfied for the received tj and Cj, B sends rj to Ad. If it 
is not satisfied, he/she can claim Ad’s fraud. 

Step 5. By verifying Eq.(15), Ad can certified that corrij contains only 1-bit 
information. 

Remark 2. If Wj = 0 in the Step 2, then D{Qj) = Cj and Qj = g^^i g°-Yr mod N. 
Using Qj and Cj, B can calculate 

corrij = Qj ■ g~'^r (mod N) 

= (jnod N) 

= E(0, Oj{tj -\- Cj) -\- rj^ 

= co’tnf^'^^ ■ (16) 
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If Wj = 1, then D{Qj) = tj + Cj. Therefore cohij is obtained by the following. 
cofrij = (mod N) 

= E[tj + Cj, aj{tj +Cj) + Cj) 

= corn'j^'^^ ■ (17) 

Otherwise, B can not calculate comj using the decrypted Qj because the 
knowledge of each tj and Cj or tj + Cj is inevitable. Therefore the lack of infor- 
mation makes it impossible to calculate covrij when Wj is not binary. From the 
above facts, the following lemma can be proved. 

Lemma 1. B can prove that Wj is binary using a zero-knowledge protocol. 

Proof. B can not obtain the values both tj and Cj from Qj, but only Wjtj Cj. 
Without the knowledge of the two values, B can not calculate cornf^^^ except 
only two cases of Wj = 0 and Wj = l.AsB knows Wj, aj and Wj{tj + Cj), corrij 
can be calculated by following Eqs.(16) and (17) if Wj is binary. It is remarkable 
that from the property P3 random number rj changes the ciphertext corrij 
to corn'j^'^^ ■ hj = E(wj{tj Cj), ajitj Cj) rj) preserving the plaintext 
Wj{tj Cj). It guarantees that no information about Wj leaks to Ai as he/she 
can not distinguish E (O, Oj {tj -\-Cj) rj ) and E (tj Cj , Uj (tj Cj) rj ) . When 

B reveals rj, M. can make sure that Wj is binary by verifying Eq.(15), but can 
not get information anymore. Furthermore, Ai can not deceive B in the Step 2 
as he/she should reveal the values tj and Cj later to receive Vj. □ 

Using the above protocol, B can prove that Wj is binary from the Lemma 1 
and hence Ai can embed B's identity properly and securely in his/her contents. 
Other possible attack is to remove or change the embedded his/her identity 
information directly from a fingerprinted content, but it is equivalent to attack 
the applied watermarking system. Then we can obtain the following theorem. 

Theorem 1. The security concerning to Ai is protected if the applied water- 
marking system is robust against attacks. 

3.3 Security for the Buyer 

In order to certify the security concerning to B, we must prove that Ai can not 
obtain B's identity under the following three assumptions: 

(AI) The discrete logarithm problem is too difficult to solve. 

(A2) The Okamoto-Uchiyama cryptosystem is secure. 

(A3) B dose not redistribute a copy. 

From these assumptions, the following theorem can be proved. 

Theorem 2. B can purchase contents from Ai anonymously if three assump- 
tions AI, A2 and AS are satisfied. 
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Proof. As FF = mod N, to derive the identity id from W is equivalent to solve 
the discrete logarithm problem, but it is extremely difficult from the assumption 
Al. In Step 2, the bit commitment corrij has only two forms: one is A(0, r) and 
the other is A(l, r) as the values of wj are binary. From the property P2, M can 
not obtain the wj from the commitment conij if the assumption A2 is satisfied. 
Enabling M to get a fingerprint from illegally redistributed copy, the identity 
id can be extracted from the decrypted Yi. However, M never get it under the 
assumption A3. Hence the anonymity of B is preserved. □ 

From the Theorem 2, Ai can not abuse the identity of B. Therefore, the 
security concerning to B is protected. 



4 Proposed Scheme II 



4.1 Modified Fingerprinting Protocol 

In the proposed scheme I, each A is encrypted and fingerprinted independently. 
Since A and T are much smaller than 2^“^(< p) and the ciphertext is much 
larger than p, the enciphering rate is small. To improve the drawback, the size 
of message to be encrypted should be modified as large as 2*“^. Let nii be 

I Ii + Twj — ? marking position /. 

= " ebewhie 

and s be the maximum bit-length of rrii. Since s is much smaller than k, the 
message can be replaced by 

c-l 

M*/ = 0<i'<L/c-l, c=\k/s] (19) 

t=o 

After the modification, each is encrypted to E{Mii, r), where r is a random 
number. Let pi be the encrypted and fingerprinted A. The fingerprinting protocol 
of Step 4 and Step 5 proposed in the previous section is changed as follows. 



[ Fingerprinting (modified) ] 

Step 4. In order to get the encrypted and fingerprinted content yi, Ai calculates 



J g^' ■ comj ■ g ? (mod N) marking position 
i g^* (mod N) elsewhere 



( 20 ) 



To synthesize some yi in one ciphertext Yii, the following operation is per- 
formed using a random number bi' G (Z/NZ). 

( 21 ) 

i 

Step 5. B decrypts the received Yii to obtain M^/. Since he/she knows the bit- 
length s of mi, he/she can decompose into the pieces. Finally he/she 
can get the fingerprinted contents. 
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Remark 3. From Eqs.(ll),(18)-(20) and the property P3, Eq.(21) can be ex- 
pressed by 

r,- = ( n • r (mod N) 

t 

= g^'’h^ (mod TV) 

= E{Me,r). (22) 



4.2 Security 

On the security of the proposed scheme E, we should consider only on Step 4 
and Step 5 as we have already discussed the other steps in the previous section. 
First, we show the relation between and its data structure. If the Okamoto- 
Uchiyama cryptosystem is secure and the bit-length of M^/ is less than k, B can 
decrypt Ej/ = E{Mii,r). Here, in Eqs.(21) and (22) several pieces nii'c+t of fin- 
gerprinted content that compose Mii are encrypted in one ciphertext E(Mii,r), 
though each piece is encrypted in the proposed scheme I. Therefore, should 
retain a special data structure described by Eq.(19). If M changes the data struc- 
ture, B can not decompose it into the correct pieces mi'c+t, and then he/she can 
claim the fact. Hence, with the knowledge of data structure B can decompose 
the decrypted message Mi’ into mi'c+t and finally get the fingerprinted content. 
Furthermore, as is simply produced by composing several pieces of m+c+t, 
B can not derive any information about original content from the decrypted 
message. 

5 Improvement of the Enciphering Rate 

In this section, we discuss the efficiency of our scheme compared with the con- 
ventional one. Here, omitting the computational complexity, we only consider 
the enciphering rate, as every calculation is simple modular multiplication or 
exponentiation that is similar to the conventional one. We assume that a digital 
content consists of L pixels of x-bit scale image and B’s identity is £ bits. As L is 
much larger than £, we evaluate the rate only by the encrypted and fingerprinted 
content. In [3] and [4], the security is based on the difficulty of factoring n. When 
each bit of the content is encrypted, thus the total amount of encrypted data 
is xLlogn bits. On the other hand, the security of our schemes is based on the 
difficulty of factoring N{= p^q, 3k bits). In the proposed scheme I, the amount 
of encrypted data is LlogTV(= 3kL) bits as each pixel is encrypted. In the pro- 
posed scheme E, it is (LlogTV)/c(~ 3xL) bits, because there are L/c messages 
Mi' to be encrypted, where s is the bit-length of each message and s ~ x. Here, 
if log n ~ log N = 3k, the enciphering information rates are indicated in Table 1. 

Furthermore, the rate can be increased by restricting the embedding po- 
sitions because of the following. Some watermarking schemes are designed to 
embed in the spatial domain, but almost all schemes in the transformed domain 
such as DCT, DFT, wavelet transform, etc. Generally, a signal embedded in the 
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Table 1. Enciphering rate 



conventional 


scheme I 


scheme H 


l/3fc 


xjZk 


1/3 



transformed (frequency) domain is more robust against attacks than in the spa- 
tial (time) domain, and the high frequency components are easily and seriously 
affected by attacks [5] . Hence, it is desirable to select some suitable components 
for embedding a fingerprint. Then, avoiding high frequency component to be en- 
crypted, the total amount of the data can be decreased. However, if the number 
of the encrypted components is very few, B may be able to derive the selected 
position and remove or change the embedded fingerprint. Therefore, the trade-off 
between the security and the rate should be considered. 

6 Conclusion 

We have proposed a new anonymous fingerprinting scheme based on the Okamoto- 
Uchiyama cryptosystem. The achievement of our proposed scheme is the im- 
provement of enciphering rate that is too small in the conventional one. Using 
the Okamoto-Uchiyama cryptosystem, an encrypted fingerprint can be embed- 
ded in an encrypted content with high enciphering rate, and then the buyer’s 
anonymity can be protected. Furthermore, the protocol can be performed be- 
tween only two parties, a buyer and a merchant, which is similar to a real-world 
market. 
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Abstract. We describe a parallel algorithm for extending a small do- 
main hash function to a very large domain hash function. Our construc- 
tion can handle messages of any practical length and preserves the se- 
curity properties of the basic hash function. The construction can be 
viewed as a parallel version of the well known Merkle-Damgard construc- 
tion, which is a sequential construction. Our parallel algorithm provides 
a significant reduction in the computation time of the message digest, 
which is a basic operation in digital signatures. 

Keywords: cryptographic hash function, Merkle-Damgard construction, 
parallel algorithm, collision resistance. 



1 Introduction 

Hash functions are extensively used in cryptographic protocols. One of the main 
uses of hash functions is to generate a message digest from a message. This 
message digest is signed to get a digital signature. Due to the central importance 
of hash functions in cryptography, there has been a lot of work in this area. See [6] 
for a recent survey. 

For a hash function to be used in cryptographic protocols, it must satisfy 
certain necessary conditions. In a recent paper [8], Stinson provides a compre- 
hensive discussion of these conditions and also relations among them. The two 
most important properties that a cryptographic hash function must satisfy are 
the following: (a) finding a collision must be computationally infeasible and (b) 
finding a preimage of a given message digest must be computationally infeasible. 

A hash function maps a set of longer messages into a set of shorter message 
digests. The range is finite, while the domain can possibly be (countably) infinite. 
Thus, theoretically, a hash function can map arbitrary length strings to finite 
length strings. However, hash functions with an infinite (or very large) domain 
can be difficult to construct directly. An alternative approach is to take a hash 
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function with a small finite domain and suitably extend it to tackle long strings. 
The extension must preserve the security properties (difficulty of finding collision 
and preimage) of the original hash function. An important construction for such 
extensions has been described by Merkle [3] and Damgard [2]. The construction 
is called the Merkle-Damgard (MD) construction. 

The MD construction is a sequential construction. Suppose the basic hash 
function has domain {0,1}®^^ and range {0,1}^^®. Further, suppose that the 
message to be signed is long, say 1 Mbits (=2^° bits). If the MD construction 
is applied to the message, then the time taken to generate the digest would 
be proportional to 2^°/(512 — 128). For many applications this can cause an 
undesirable delay. 

In this paper we build on the basic MD construction. We introduce a parallel 
version of this construction which preserves the security features of the basic 
hash function. The parallel version uses 2* processors for some t and produces a 
significant speed up in the computation of the message digest. 

Related Work: The concept of tree hashing has appeared before in the liter- 
ature. Wegman and Carter [10] used tree hashing techniques to build universal 
hash functions. This was followed up by Naor and Yung [5] and Bellare and Ro- 
gaway [1] in the context of universal one way hash functions. Damgard [2] briefly 
outlines a tree hashing approach for extending collision resistant hash functions. 

In this paper we concentrate exclusively on developing a parallel tree based 
algorithm for extending cryptographic hash functions. The main difference be- 
tween our model and previous models is that we consider the number of available 
processors to be fixed while the length of the message can be arbitrarily long. 
Thus we consider a fixed processor tree and use it to hash arbitrarily long mes- 
sages. Each processor simply computes the base hash function. The resulting 
increase in speed of computation of the message digest is almost linear in the 
number of processors. As an example, it may not be very expensive to use a 
tree of 32 or 64 processors to reduce the time required for message digest com- 
putation by a factor of 32 or 64 respectively. We believe that our algorithm has 
potential practical applications in digital signature computation. 

Due to lack of space, proofs and detailed discussions cannot he presented in 
this paper. For these we refer the reader to [7]. 



2 Basics 

2.1 Hash Functions 

Our description of hash functions closely parallels that of Stinson [8]. An (n, m) 
hash function ft, is a function ft : {0, 1}” ^ {0, 1}™. Throughout this paper we 
require that n > 2m. Consider the following problem as defined in [8]. 



Problem : Collision Col{n,m) 

Instance : An (n,m) hash function ft. 

Find : x,x' G {0, 1}” such that x ^ x' and ft(cc) = h{x'). 
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By an (e,p) (randomized) algorithm for Collision we mean an algorithm which 
invokes the hash function h at most p times and solves Collision with probability 
of success at least e. 

The hash function h has a finite domain. We would like to extend it to 
an infinite domain. Our first step in doing this is the following. Given h and 
a positive integer L, we construct a hash function ■ {0,1}^ ^ {Oj 1}"^- 
The next step, in general, is to construct a hash function h°° : Ul>„{ 0, 1}^ ^ 
{0,1}™. However, instead of doing this, we actually construct a hash function 
h* : u{(_„{0, 1}^ ^ (0, 1}™, where N = 2”“™ — 1. Since we assume n > 2m, we 
have n — m > m. Practical message digests are at least 128 bits long meaning 
that m = 128. Hence our construction of h* can handle any message with length 
< 2^^®. This is sufficient for any conceivable application. (If we estimate that 
there are 32 billion computers, that is about 5 computers per man, woman and 
child, and each computer has 1024 gigabytes of disk storage, and each byte has 
eight bits, the number of bits that can be stored on all the these computer 
systems combined is a mere 2® x 2®° x 2^° x 2®° x 2® = 2"^® bits. Our construction 
of h* can be extended to construct h°° and will be provided in the full version 
of the paper. 

We would like to relate the difficulty of finding collision for h^, h* to that of 
finding collision for h. Thus we consider the following two problems (see [8]). 

Problem : Fixed length collision FLC{n,m,L) 

Instance : An (n,m) hash function h and an integer L > n. 

Find : x,x' G (0, 1}^ such that x ^ x' and hL(x) = hL{x').\ 



Problem : Variable length collision VLC{n,m, L) 

Instance : An {n,m) hash function h and an integer L with n< L < 2"“™ 
Find : x,x' G u{^„{0, 1}* such that x ^ x' and h*(x) = h*{x'). 



By an {e,p,L) (randomized) algorithm A for Fixed length collision (resp. Variable 
length collision) we will mean an algorithm that requires at most p invocations 
of the function h and solves Fixed length collision (resp. Variable length collision) 
with probability of success at least e. The algorithm A will be given an oracle 
for the function h and p is the number of times A queries the oracle for h in 
attempting to find a collision for (resp. h*). 

Later we show Turing reductions from Collision to Fixed length collision and 
Variable length collision. Informally this means that given oracle access to an 
algorithm for solving FLC{n,m,L) for Hl or VLC{n,m,L) for h* it is possible 
to construct an algorithm to solve Col(n,m) for h. These will show that our 
constructions preserve the intractibility of finding collisions. 



2.2 Processor Tree 

Our construction is a parallel algorithm requiring more than one processors. 
The number of processors is 2*. Let the processors be Pq, ■ ■ ■ For i = 

0, . . . ,2*“^ — 1, processor Pi is connected to processors P^i and P^i+i by arcs 
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pointing towards it. The processors P2t~i, ■ • ■ , P 2 *-i are the leaf processors and 
the processors Pq, . . . , P 2 *-i-i are the internal processors. We call the resulting 
tree the processor tree of depth t. For I < i < t, there are 2*“^ processors at 
level i. Further, processor Pq is considered to be at level 0. 

Each of the processors gets an input which is a binary string. The action of 
the processor is to apply the hash function h on the input if the length of the 
input is n; otherwise, it simply returns the input - 



f Hy) if \y\ = n-, 

\ y otherwise. 



( 1 ) 



For 0 < i < 2* — 1, we have two sets of buffers Ui and Zi. We will identify 
these buffers with the binary strings they contain. The buffers are used by the 
processors in the following way. There is a formatting processor Pp which reads 
the message x, breaks it into proper length substrings, and writes to the buffers 
Ui- For 0 < t < 2*“^ — 1, the input buffers of Pi are Z 2 i,Z 2 i+i and Ui and 
the input to Pi is formed by concatenating the contents of these buffers. For 
2*“^ < i < 2^ — 1, the input buffer of Pi is Ui. The output buffer of Pi is Zi for 

0 < i < 2‘ - 1. 

Our parallel algorithm goes through several parallel rounds. The contents of 
the buffers Ui and Zi are updated in each round. To avoid read/write conflicts 
we will assume the following sequence of operations in each parallel round. 

1. The formatting processor Pp writes into the buffers for 0 < i < 2* — 1. 

2. Each processor Pi reads its respective input buffers. 

3. Each processor Pi performs the computation in (1). 

4. Each processor Pi writes into its output buffer Zi. 

Steps (2) to (4) are performed by the processors Pq, ■ ■ ■ ,P 2 *-i in parallel after 
Step (1) is completed by processor Pp. 



2.3 Parameters and Notation 

Here we introduce some notation and define certain parameters which are going 
to be used throughout the paper. 

Number of processors: 2*. 

Start-up length: 2*n. 

Flushing length: (2‘“^ + 2*“^ + • • • + 2^ + 2°)(n — 2m) = (2* — l)(n — 2m). 
Start-up -|- flushing length: 6(t) = 2‘n + (2* — l)(n — 2m) = 2*(2n — 2m) — 
(n — 2m). 

Steady-state length: A(t) = 2*“^n + 2*~^{n — 2m) = 2*“^(2n — 2m). 
Message: a binary string x of length L. 

Parameters q, b and r: 

1. If L > 5{f), then q and r are defined by the following equation: L — 5{f) = 
qX{f) + r, where r is the unique integer from the set {!,..., X{t)}. Define 
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2. If L = 6{t), then q = b = r = 0. 

Note that 0 < 6 < 2*“^. We will denote the empty string by <> and the length 
of a binary string x by \x\. 

3 Fixed Length Input 

In this section we describe the construction of the function h^. The construction 
is naturally divided into two cases depending on whether L > S(t) or L < S(t). 
We first show that the case L < 6{t) reduces to the case L > 6{t') for some 
t' < t. Thus the case L < S(t) is tackled using only a part of the processor tree. 

3.1 Case L < S(t) 

Let t' < t he such that S(t') < L < (5(T + 1). We use the processor tree only upto 
level t' and use the parallel hashing algorithm of Section 3.2 with t replaced by 
t' . Thus we are not utilizing all the available processors. It can be shown that 
this results in a cost of at most one additional parallel round. We will present 
this proof in the full version of the paper. 

3.2 Case L > 5{t) 

We first describe the parallel hashing algorithm. This algorithm uses several 
other algorithms as subroutines. We describe these later. 

The parameters b and q defined in Section 2.3 will be used in the algorithms 
that we describe next. More specifically, the parameter q will be used in algo- 
rithm PHA and the parameter b will be used in algorithms PEG and FF. These 
parameters are assumed to be global parameters and are available to all the sub- 
routines. It is quite simple to modify the subroutines such that the parameters 
are computed as and when required. 

Parallel Hashing Algorithm (PHA) 

Input: message x of length L > 6{t). 

Output: message digest hrix) of length m. 

1. if L > 6{t), then 

2. a; := x||0^(2n-2m)-r 

(ensures that the length of the message becomes 
S{t) + qX{t) + b(2n — 2m).) 

3. endif . 

4. Initialise buffers Zi and Ui to empty strings, 0 < i < 2* — 1. 

5. Dp FormatStartUp. 

6. Dp ParallelProcess. 

7. for i = 1, 2, . . . , q do 

8. Dp FormatSteadyState. 

9. Do ParallelProcess. 
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10. endfor 

11. Do FormatEndGame. 

12. ParallelProcess. 

13. for s = t — 1, t — 2, . . . 2, 1 do 

14. Do FormatFlushing(s). 

15. Do ParallelProcess. 

16. endfor 

17. zo = Po{zo\\zi\\x). 

18. return zq. 

19. end algorithm PHA 

ParallelProcess (PP) 

Action: Read buffers Ui and Zi, and update buffers Zi, 0 < i < 2* — 1. 

1. for i = 0, . . . , 2* — 1 do in parallel 

2. Zi := Pi{z2i\\z2i+i\\ui) if 0 < t < 2‘“i - 1. 

3. Zi := if 2*-i < t < 2* - 1. 

4. endfor 

5. end algorithm PP 

Formatting Algorithms. There are four formatting subroutines which are 
invoked by PHA. Each of the formatting subroutines modifies the message x by 
removing prefixes which are written to the buffers Ui for 0 < t < 2* — 1. All the 
formatting subroutines are executed on the formatting processor Pp. 

FormatStartUp (FSU) 

Action: For 0 < t < 2* — 1, write a prefix of message x to buffer Ui and update 
the message x. 

1. for z = 0. 2* — 1 do 

2. Write x = v\\y, where |u| = n. 

3. Ui := V. 

4. X := y. 

5. endfor 

6. end algorithm FSU 
FormatSteadyState (FSS) 

Action: For 0 < z < 2* — 1, write a prefix of message x to buffer Ui and update 
the message x. 

1. for z = 0, 2*~^ — 1 do 

2. Write x = v\\y, where |z;| = n — 2m. 

3. Ui := V. 

4. X := y. 

5. endfor 

6. for 

7. 



t = 2‘-i,...,2‘-ldp 
Write X = v\\y, where |z;| = n. 
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8. Ui := V. 

9. X := y. 

10. endfor 

11. end algorithm FSS 
FormatEndGame (FEG) 

Action: For 0 < i < 2* — 1, write a prefix of message x to buffer Ui and update 
the message x. 

1. for i = 0,l,2,...,2*-i-ldp 

2. Write x = v\\y where \v\ = n — 2m. 

3. Ui := V. 

4. X := y. 

5. endfor 

6. for i = 2‘-\2*-i + l,...,2‘-i + &-ldp 

7. Write x = v\\y where |u| = n. 

8. Ui := V. 

9. X := y. 

10. endfor 

11. for i = 2‘-i + 6,2‘-i + &+l,...,2‘-ldp 

12 . Ui :=<>. 

13. endfor 

14. end algorithm (FEG) 

FormatFlushing(s) (FF(s)) 

Input: Integer s. 

Action: For 0 < i < 2* — 1, write a prefix of message x to buffer Ui and update 
the message x. 

1. fc=L '-+^;;r-^ j. 

2. for i = 0,l,2,...,2^-i + fc- 1 dp 

3. Write x = v\\y where |u| = n — 2m. 

4. Ui := V. 

4. X := y. 

5. endfor 

6. for i = 2^-^ + k,2‘-^ + k + l,...,2* -1, 

7. Write Ui :=<>. 

8. endfor 

9. end algorithm FF 

3.3 Gorrectness and Gomplexity 

Here we state that algorithm PHA properly computes an m-bit message digest 
and state various properties of the algorithm. In Section 3.4 we will provide the 
security reduction of Col{n,m) to FLC{n,m,L). More detailed discussion and 
proofs can be found in [7]. Algorithm PHA executes the following sequence of 
parallel rounds. 
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1. Lines 5-6 of PHA execute one parallel round. 

2. Lines 7-10 of PHA execute q parallel rounds. 

3. Lines 11-12 of PHA execute one parallel round. 

4. Lines 13-16 of PHA execute t — 1 parallel rounds. 

5. We consider Line 17 of PHA to be a special parallel round. 

From this we get the following result. 

Theorem 1. Algorithm PHA executes q + t + 2 parallel rounds. 

Each of the first {q + t + 1) parallel rounds consist of a formatting phase and 
a hashing phase. In the formatting phase, the formatting processor Pp runs a 
formatting subroutine and in the hashing phase the processors Pi (0 < i < 2‘ — 1) 
are operated in parallel. Denote by Zij the state of the buffer Zi at the end of 
round j, 0 < f < 2* — 1, l<j<q + t + 2. Clearly, the state of the buffer Zi at 
the start of round j {2 < j < q + 1 + 2) is Further, let Ui^ be the string 

written to buffer Ui in round j by the processor Pp. For 0 < i < 2*~^ — 1, the 
input to processor Pi in round j is Z 2 ij-i\\z 2 i+i,j-i\\uij. For 2*“^ < f < 2‘ — 1, 
the input to processor Pi in round j is the string Uij. 

Theorem 2 (Correctness of PHA). 

1. Algorithm PHA terminates and provides an m-bit message digest. 

2. Algorithm PHA provides each bit of the message x as part of the input to 
precisely one invocation of the hash function h. 

Proposition 1. Let ifiL) be the number of invocations ofh by PHA on a padded 
message of length L = 6{t) + qX(t) + b(2n — 2m). Then tp{L) = (q + 2)2* + 2b—l. 
Moreover, tp{L) is also the number of invocations of h made by the sequential 
MD algorithm. 

Remark: The time taken by the MD algorithm is proportional to the number 
of invocations of h whereas the time required by PHA is proportional to the 
number of parallel rounds. This is the basis for the speed-up obtained by PHA. 

Proposition 2. The maximum amount of padding added to any message is less 
than 2n — 2m. 

3.4 Security Reduction 

In this section we provide a Turing reduction of Col{n,m) to FLC(n,m,L). 
This will show that if it is computationally difficult to find collisions for h, then 
it is also computationally difficult to find collisions for hp. We provide only a 
sketch of the proof. The detailed proof can be found in [7]. 

Theorem 3. Let h be an (n, m) hash function and for L > n let hp be the 
function defined by algorithm PHA. Lf there is an (e,p,L) algorithm A to solve 
FLC{n,m, L) for the hash function hp, then there is an {e,p + 2'ip{L)) algorithm 
B to solve Col{n,m) for the hash function h. 
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Sketch of proof: The idea of the proof is to show that if A can find x and x' 
such that X ^ x' but Hl^x) = hL(x'), then one can find w and w' such that 
w ^ w' but h{w) = h{w'). The proof proceeds in the following manner. The 
output of PHA on input x is hL{x) = zo,g+t+2 and the output of PHA on input 
x' is hL(x') = Zo,g+t+2- Assume that 6 > 0 (the case 5 = 0 is similar). In this 
case the inputs to processor Pq in round q + t + 2 are zo,g+t+i||^i,9+t+i||Mo,g+t+2 
and Zq g_i_i_i_2 corresponding to strings x and x' respectively. 

If zo,g+t+i||zi,5+t+i||wo.g+t+2 ^ | | then we have a col- 
lision for h. Otherwise zo,9+t+i = ^i,g+t+i = and uo^g+t +2 = 

Uo^q+t+ 2 - Note that uq, q+t+2 and Uq ^^^^2 are substrings of x and x' respectively. 
Thus not obtaining a collision for h at this stage implies a certain portion of x 
and x' are equal. At this point we use an reverse induction on round number 
to show that if there is no collision for h, then x = x' . Since by assumption we 
have X ^ x' , we must find a collision for h. □ 



4 Variable Length Input 

In the previous section we developed composition schemes which work for fixed 
input lengths. More precisely, given h : {0, 1}" ^ {0, 1}™ and a positive integer 
L, we have shown how to construct ■ {0,1}^ ^ {0,1}™. We now extend this 
to h* : U{(^„{0, 1}^ ^ (0, 1}™, where N = 2""™ - 1. For 0 < i < 2« - 1, let 
bins{i) be the s-bit binary expansion of i. We treat bins{i) as a binary string of 
length s. Then h*{x) is defined as follows. 

h*{x) = h ((6m„_^(|a;|))||(/i|3;|(a;))) . (2) 

In other words, we first apply hL^x) (where |a;| = L) on cc to obtain an m-bit 
message digest w. Let v = binn-m{\x\). Then u is a bit string of length n — m. 
We apply h to the string v||w to get the final message digest. 

Remark: 1. We do not actually require the length of the message to be < 2"“™. 
The construction can easily be modified to suit strings having length < 2° for 
some constant c. Since we are assuming n > 2m and m > 128 for practical hash 
functions, choosing c = n — m is convenient and sufficient for practical purposes. 
2. The construction can be modified to tackle arbitrary length strings. For the 
usual Merkle-Damgard procedure this is described in [9]. We will provide the 
extension to arbitrary length strings for our construction in the full version of 
the paper. 

Proposition 3. Let th and Th{L) be the time taken to compute h and re- 
spectively. Then the time taken to compute h* is Th{L) Th and the number of 
invocations of h is 1 ifiL). 

Theorem 4. Let h be an (n, m) hash function and h* be the function defined 
by Equation 2. Lf there is an (e,p,L) algorithm A to solve VLC{n,m, L) for 
the hash function h* , then there is an {e,p-\- 2 2Tp{L)) algorithm B to solve 

Col{n,m) for the hash function h. 
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5 Concluding Remarks 

We have considered only one property of hash functions - namely intractibility 
of finding collisions. There are other desirable properties that a hash function 
must satisfy. These are Zero Preimage and Preimage (see [8]). In [8], reductions 
between these properties have been studied. In our case, we are required to show 
that our constructions preserve the intractibility of these problems. In fact, these 
properties are indeed preserved and the proofs will be provided in the full version 
of the paper. 

The second important point is that we have considered the processors to be 
organised as a binary tree. In fact, the same technique carries over to fc-ary trees, 
with the condition that n > km. The computation can be made even faster by 
moving from binary to /c-ary processor trees. However, the formatting processor 
will progressively become more complicated and will offset the advantage in 
speed up. Hence we have not explored this option further. 
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Abstract. Most of the hash functions using iterative constructions, are 
inefficient for bulk hashing of documents with high similarity. In this 
paper, we present a new approach to construct a cryptographic hash 
function called Pair Chaining & Modular Arithmetic Combining Incre- 
mental Hash Function (PCIHF). PCIHF has some attractive properties, 
which are increment ality and parallelizability. The security of PCIHF has 
also been analyzed comprehensively. Finally, we show that PCIHF is not 
only universal one-way but also collision-free. 

Key words. Cryptography, Hash Function, Incremental Cryptography. 



1 Introduction 

Hash functions take an input string of arbitrarily length and output a unique 
fixed length string called as hash value. Originally, hash functions were designed 
for the purpose of data integrity. The simplest protocol for ensuring data integrity 
is as follows. Firstly, it hashes a large message M to obtain its corresponding 
fixed size hash value n- Then, fx with smaller size is protected by storing it in an 
expensive private space, such as a smart card. Meanwhile, M is kept in a public 
space. Later, we verify the integrity of M by hashing the message to obtain a 
new hash value fx' . Then, we compare fx' with the protected hash value /i. If they 
are equal, with high probability, we conclude that M has not been altered. By 
using hash functions, we can save the cost and speed up the verification process. 

In order to ensure that the data integrity protection scheme works, the hash 
functions must fulfill some cryptographic properties, which are 1®* and 2'^'^-pre- 
image resistance and collision resistance (Menezes et. al. [8]). Most of the hash 
functions using iterative constructions, are inefficient for bulk hashing of docu- 
ments with high similarity. This is because of the nature of the iterative process 
where the processing time is proportional to the total length of the message. 

Here, we propose a new cryptographic hash function called Pair Chaining & 
Modular Arithmetic Combining Incremental Hash Function (PCIHF) by using 
the concept of incremental cryptography, which was first introduced by Bellare 
et. al. [1]. For the proposed PCIHF, the time taken for updating the hash value 
is proportional to the amount of modifications made to the message or constant 
for certain text modification functions. We have assumed that the amount of 
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modification is small compared to the size of the message. Therefore, PCIHF is 
more efficient. Moreover, PCIHF is parallelizable which is very useful for hardware 
and software implementation. 

Section 2 presents the notation and related works on incremental cryptogra- 
phy. We elaborate on the construction of PCIHF and analysis of its efficiency on 
some text modification functions in Section 3. In Section 4, we show that our 
proposed PCIHF is universal one-way and collision-free. 



2 Preliminary 

2.1 Standard Notation and Definition 

Here, we briefly go over some standard notation. {0, 1}^ denotes a binary string 
with k bit. [g] is the set of integers {x : 1 < x < q}. |s| denotes the length (in 
bits) of s. {R — S) denotes the difference of sets R and S. Symbol 12 denotes 
the asymptotic lower bound. r||s and r 0 s denote that string r is concatenated 
and exclusive-OR with string s respectively. Finally, (s) denotes the binary rep- 
resentation of s. 



2.2 Incremental Hash Function and Related Works 

Incremental cryptography has the special property that after applying it to a 
message, the cryptographic primitive can quickly be updated for the modified 
message. In details, by applying a message M, its hash value and the text 
modification function F to an ideal incremental hash function F[ , will produce 
an updated hash value jjf of the modified message M' faster than recomputing 
it from scratch. The time taken must be independent of the size of the message; 
but dependent only on the number of changed blocks. 

Theoretically, any collision-free compression function can be modified to be- 
come an incremental hash function. Bellare and Micciancio [4] presented the 
randomize-then-combine paradigm. They pointed out the reasons why conven- 
tional combining operators (such as exclusive-OR) are rejected. However, it can 
still be used in message authentication scheme (MAC) where a secret key is 
involved (Bellare et. al. [3] and Fischlin [5]). Besides that, incremental hash 
functions based on tree scheme and discrete logarithm problem have been pro- 
posed in Bellare et. al. [1] and [2]. Due to some disadvantages in the later two 
schemes, we will only concentrate on randomize-then-combine paradigm. The 
basic construction of incremental MAC is as below, 

^i= A Ra{M[i]) (1) 

ie[n] 

A is the group operation and Ra is a keyed pseudo-random function with secret 
key a. Unfortunately, (1) is not 2"'^ pre-image resistance. This is because the 
hash value remains unchanged by rearranging the message block. For example. 
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-ff (M[l] I |M[2]) = i/(M[2]||M[l]). In order to solve this, each block is added 
with a counter, and the construction becomes, 

^Ji= A i?a((z)||M[z]) (2) 

ie[n] 

Now, the sequence of message block is essential. Although dramatic improve- 
ments in term of speed can be achieved in using the incremental settings, it 
posed some new security concerns, which are tamper-proof security and privacy. 
Since (2) is still a linear function, it is insecure against message substitution at- 
tack. For example, let = H{A\\B), ^2 = H{A\\D) and /is = H{C\\B) where 
A,B,C,D e M[i]. Without knowing a, an adversary will be able to obtain the 
valid fi' for message C\\D, because /i' = /ii A /i 2 A /is = H{C\\D). To counter 
this, a random number r has to be included. The final setting is, 

/i = A,((0)||(r)) A i?.((l)||(z)||M[z]) (3) 

ie[n] 

In order to make sure the incremental hash function is collision free and secure 
against message substitution attack, some redundancy bits must be added. Fur- 
thermore, a user must keep record on the sequence of the counters. Micciancio 
[7] came out with an idea of oblivious data structure to solve the privacy prob- 
lem. An incremental algorithm is said to be private or historically free if the 
final hash value yields no information on the previous text modification oper- 
ations that have been applied to the final message. Therefore, (3) is partially 
historically free because the adversary knows which message blocks have been 
modified. 



3 The Proposed PCIHF 

In this section, we explain the construction of the proposed Pair Chaining & 
Modular Arithmetic Combining Incremental Hash Function (PCIHF). Then, we 
show how PCIHF performs incremental updating of hash values over some text 
modification functions. Its efficiency in term of total number of computation 
steps required for each incremental updating process will also be analyzed. For 
ease of discussion, we will only consider PCIHF as single pair block chaining 
throughout this paper. 

3.1 The Construction of PCIHF 

Initialisation. For the sake of simplicity, we ignore the nonce and the Merkle- 
Damgard strengthening (Mil-strengthening), which are usually be added as the 
first and last block in the original message respectively. Eventually, these are 
essential in practical schemes to guard against prefix and postfix type of at- 
tacks. We apply a standard padding method which pad bit-‘l’ and minimum 
number of bit-‘0’ at the tail of the message M so that the message length, \M\ 
is a multiple of 6-bits. Finally, an input message M = M[1]M[2] . . . M[n], with 
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single message block M[i] € {0, 1}^, for i G [n]. In order to make our con- 
struction works, we make a stronger assumption which is that all the message 
blocks are distinct. This means that M[i] ^ M[j] for i,j G [n] and i ^ j. Fi- 
nally, R : {0, 1}^^ ^ {0, 1}^ is a standard collision-free compression function 
(or pseudo-random function) which has an input with 2&-bits and output fc-bits 
“random” string. 

Randomize. We implement the concept of randomize-then-combine paradigm. 
Instead of using a counter for each block, we chain the block before performing 
the randomizing process. The randomizer must definitely be collision-free; oth- 
erwise, the entire construction fails to be collision- free. After going through R, 
we obtain a series of intermediate hash values for i G [n — 1] as shown below, 

h\i] = R{M[i\\\M[i + 1]) (4) 

Combining. Since hash function is public, we have to use some modular arith- 
metic operations, if not, it is not secure (Bellare et. al. [4]). Additionally, these 
operations must be associative, commutative and invertible in a particular group, 
so that PCIHF is parallelizable and incremental. Some of the suitable operations 
are addition and multiplication. Later, we will prove that the hardness of break- 
ing additive operation is equal to breaking the weighted subset sum problem. In 
this paper, we choose modular summation as the combining operation. We fixed 
the length of final hash value to k = 160 bits. The final hash value fx for PCIHF 
could be obtained as follows: 

^i= /i[i](mod2i®° + l) (5) 

ie[n— 1] 

Here we assume that Random Access Machine model (RAM machine) is chosen 
and the original (or previous) message is stored inside the memory, so time taken 
to access the corresponding block could be ignored. Hence, total computation 
steps taken by PCIHF for obtaining the first original hash value Tt is equal to 
n{Rt + Ct) — {Rt + 2Ct), where Ct and Rt are the constant time taken for com- 
bining and randomizing process respectively. Its efficiency decrease dramatically 
if compared to standard hash function which only takes n{Rt/2). Nevertheless, 
PCIHF is incremental and parallelizable. 

3.2 Text Modification Function f and Efficiency 

In addition to single block update operations, PCIHF can also handle multiple 
blocks and messages update operations. Let at G {0, 1}** be a set of distinct 
message blocks (also with M[i]) for i G [n]. A set of text modification function 
F, so that the updated message M' = F{M,f), where / is the modification 
augment. The description of / is given below: 

Block Replacement. / = replace(p, f, cti, ..., CTp) denotes the sequence of p- 
blocks starting from location i of previous M with hash value p are replaced by 
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CTi, ...,Gp. The updated hash value is: 

fi' = fx + R{M[i - l]\\M[ai]) + R{M[ap]\\M[i + p\) (6) 

- R{M[i - 1 + j]\\M[i + j]) + R{aj\\aj+i) 

j=o,i,...,p ie[p-i] 

The total cost Tt = 2(1 + p){Rt + Ct). 

Block Deletion. / = delete(p, i) denotes the sequence of p-blocks starting from 
location i oi M with p are deleted. The updated hash value is: 

p' = p- Y R{M[i-l+j]\\M[i + j]) + R{M[i-l]\\M[i+p]) (7) 

The total cost Tt = (2 +p){Rt + Ct). 

Block Insertion. / = insert(p, i, cti, CTp) denotes the p-blocks (cti, CTp) are 
inserted after the location i of M with hash value p. The updated hash value is: 

^' = ^-i?(M[i]||M[z+l]) + i?(crp||M[i+p]) + i?(M[t]||cri)+ Y Ri^jW^j+i) 

j6b-i] 

( 8 ) 

The total cost Tt = (2 +p){Rt + Ct) is the same as the deletion function. 

Block Cut-&- Paste. / = cut — paste(p, z,j) denotes the sequence of p-blocks 
from the location i are cut and pasted after the location j of M. The updated 
hash value is: 

fj,' = p - R{M[i - l]\\M\i]) - R{M[i + p - l]\\M[i + p\) 

+ R{M[j]\\M\i]) + R{M[i - l]\\M[i + p]) 

- R{M[j]\\M[j + 1]) + i?(M[z + p- l]||M[j + 1]) (9) 

The total cost Tt = f>{Rt + Ct), which is a constant value. 

Multi- Messages Merging. / = merge(Mi, M 2 , . . . , Mp.) where p* is the total 
number of messages, denotes the multiple documents Mi, M 2 , . . . , Mp. with re- 
spective hash value pi, p 2 , ■ ■ ■ , Pp* and the number of message block 
rzi, rz 2 , . . . , zzp. are then merged into one. The updated hash value is: 

p'= Y R{MAnj]\m+,[l]) + Y H (10) 

jg[p.-i] ie[p*] 

The total cost Tt = p*{Rt + ‘^Ct) — {Rt + “2.Ct). It is only proportional to p* . 

3.3 Advantages of PCIHF 

Omitting the Index. In previous proposed incremental schemes, each block 
is concatenated with a counter. Therefore, the size of the hash value increases 
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proportionally to the message size and the number of updating process. Con- 
trarily, our PCIHF outputs a fixed size of final hash value. This directly reduces 
the space storage required. Furthermore, no information is leaked during the 
updating process. The recipient needs only the updated message and the hash 
value for the verification procedure. Therefore, our proposed scheme is oblivi- 
ous and total tamper-proof secure. In addition to that, we do not need to keep 
a record on the intermediate values or the sequences of the orientation of the 
block counter as virtual message (Bellare et. al. [2]). This is hard to be achieved 
in the incremental tree scheme, where all the nodal information is needed to be 
stored. 

Using R Function as a ‘Black Box’. Using an existing hash function for 
the randomized operation makes our algorithm more portable and simplifies our 
analysis. This is because the existing ‘black box’, such as SHA-1, have been 
studied in details and proven as a strong candidate. 

Fast Combination Operation. We stick to the summation operation which 
is the simplest arithmetic operation as it is a very fast operation for current 
microprocessor compared to other operations (modular multiple operation, etc). 
Of course, using a combination operation with higher complexity will increase 
the hardness of attacking the scheme. 

Further Improvement. Applying multi-blocks chaining instead of just two 
blocks per pair could further speed up the proposed scheme. Furthermore, the 
performance of PCIHF could also be improved by storing the original interme- 
diate values h[i] which are needed during the updating process, like in the tree 
scheme. If this is fully implemented, the updating process can be done in almost 
constant time, however we will end up using more space. 



4 Analysis of PCIHF 

In this section, we show that the proposed PCIHF is not only universal one- 
way but also collision-free. Without loss of generality, we take SHA-1 as the 
randomizer and the modular addition operator as the combining operator. 



4.1 PCIHF: Universal One-Way 

We show that the strength of PCIHF can be related to the standard modular 
knapsack problem (subset sum problem). This only suffices to show that it is 
a universal one-way hash function UOWHF, as defined in Impagliazzo & Naor 
[6] and Naor & Yung [9]. In order to show that it possesses the collision- free 
property, we have to make a stronger examination, which will be discussed in 
the next section. 

According to Bellare et. al. [4], formally, we construct a 2”'^ preimage- finder 
{PFi, PF 2 ). Firstly, algorithm PFi outputs a x. Then, the second PF 2 will base 
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on the input x to get y. We fix the random oracle in the randomizing process, 
which only allows PF 2 to access but not PFi. Finally, the finder is successful 
if PCIHF(x) = PCIHF(y) and x ^ y. This type of finder is a weaker notion 
of security, because the adversary is not allowed to choose x, as compared to 
collision-free where birthday attack is allowed. We conclude that a proven uni- 
versal one-wayness cryptographic hash function is not necessarily collision- free, 
but it is always true vice versa. 

Definition 1. A 2^'^ preimage- finder {t,q,e) -breaks a hash family if given an 
oracle, it makes at most q oracle queries, runs in time t and finds a collision 
with probability at least e. A hash family is (t, q, s)-universal-one-way, iff there 
is no 22'^ preimage-finder which ft, q,e) -breaks it. 

Standard Modular Subset-Sum Problem. Given a /c-bit integer N and q 
distinct numbers oi, . . . , G Zn, we can construct a (fc, g)-standard knapsack 
problem. For optimization purposes, we do assume that fV = 2* -F 1. Then, we 
are asked to get a set of weights wi, . . . ,Wq G {0, 1}, not all zero, where 

WiUi = 0{mod N) (11) 

ie[g] 

The task is hard, when ai, ... ,Oq are chosen randomly in Zn and N is suffi- 
ciently large. 

Definition 2. A (k,q) -standard knapsack problem is ft,e)-hard, iff there is no 
algorithm which can find a solution to an instance N ,ai, . . . ,Oq of the {k,q)- 
standard knapsack problem with probability more then e in time t, provided that 
a\,...,aq are selected uniformly and independently in Zpf. 

After relating the universal one-way of PCIFIF to the standard modular knapsack 
problem, we obtain Theorem 1. 

Theorem 1. Let k and q be integers such that the {k,q)- standard knapsack 
problem is ft' ,e') -hard. Then PCIHF is ft, q,e) -universal one-way family of hash 
functions where t = t' — f2f2bq) and e = 2e' . 

Proof: The proof is given in Appendix A. 

4.2 PCIHF: Collision-Ftee 

A collision-finder, CF is an algorithm that tries to output a pair of collision. 
Here, we will examine the probability that it is successful. 

Definition 3. A collision- finder CF{t,q, e) -breaks a hash family FI if it runs in 
time t, makes at most q oracle queries, and finds a collision in H with probability 
at least s. We say that H is ft, q,e)- collision- free if there is no collision-finder 
which ft, q,e) -breaks Ft. 
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Weighted Modular Knapsack Problems. By giving a /c-bit integer N and q 
distinct numbers oi, . . . , € Zn, we can construct a (fc, g)-standard knapsack 

problem. We are asked to get a set of weights Wi,...,Wq G {—1,0,+!}, but 
not all zero, as in (11). In other words, we need to find two disjoint non-empty 
subsets / and J, where I, J C [< 7 ], such that, 

^ai-^aj=0 ( 12 ) 

iei j&J 

Note that set I and J are the set of indices i and j such that Wi = +1 and 
Wj = -1. 

Definition 4. A (k,q) -weighted knapsack problem is (t,e)-hard, iff there is no 
algorithm which can find a solution to an instance N,ai, . . . ,Qq of the {k,q)~ 
standard knapsack problem with probability more then e in time t, provided that 
ai,. . . ,Oq are selected uniformly and independently in Zpf. 

Balance Problem. We identify a computational problem - balance problem 
(Bellare et.al [4]) that can be defined in an arbitrary group. It unifies the collision- 
free treatment of PCIHF based on the underlying arithmetic modular combining 
process. We only show how the hardness of the balance problem for the additive 
groups is the weighted subset sum problem, although it could be implemented 
in any algebraic group. The construction of balance problem is as follows. Let 
Q be some family of groups and n is an integer. In the (^, n)-balance problem 
we are given a group G € G and a sequence oi, . . . , a„ G G. We must find the 
weights Wi, . . . ,Wn G { — 1, 0, -1-1}, not all zero, such that 

A af*=e{modN) (13) 

ie[n] 

A is the group operation and e is the identity element in the group. The security 
of the proposed PCIHF paradigm can be related to the balance problem in the 
underlying class of groups, if the group is hard. Recall that q refers to the num- 
ber of computations of oracle R. Since R is ideal, it maps {0, 1}^^ to G. Lemma 
1 says that if the balance problem is hard then the corresponding family of hash 
functions is collision-free. 

Lemma 1. Let Q and q be integers such that the {G , q) -balance problem is 
ft' ,e')- hard. Then, PCIHFis ft, q,e) -collision- free family of hash functions where 
t = t' — L2{2bq) and e = s' . 

Proof: The proof is given in Appendix B. 

Theorem 2. Let k and q be integers such that the fk, q) -weighted knapsack prob- 
lem is ft' ,e') -hard. Then PCIHFis ft, q,e) -collision- free family of hash functions 
where t = t' — Q{2bq) and e = s' . 
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Proof: We have related the security of the PCIHF to the balance problem, which 
will further be reduced to a conventional hard problem. Obviously, since additive 
operator is chosen, the corresponding balance problem of PCIHF turns into (12), 
which is essentially equivalent to weighted knapsack problem. Therefore, PCIHF 
is proven to be a collision-free hash function as long as the weighted modular 
knapsack problem is hard. 

5 Conclusion 

We have introduced a new hash function PCIHF which is incremental and paral- 
lelizable. Time taken for the Cut-&-Paste text modification function is constant, 
regardless of the amount of blocks involved. Also, for multiple message merging, 
the time taken only depends on the number of messages. Table 1 summarizes 
the time taken by PCIHF for various modification functions. Finally, we show 
that PCIHF is not only universal one-way but also collision-free. 



Table 1. Complexity of computation 



Text modification function, / 


Total cost, Tt 


Replace(p, i, a\, ap) 


2{1 + p){Rt + Ct) 


Delete/insert(p, i) 


{2+p){Rt + Ct) 


cut — paste(p, i, j) 


6{Rt + Ct) 


Merge(Mi, M 2 , Mp.) 


p*{Rt + 2Ct)-{Rt + 2Ct) 
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Appendix A: Proof of Theorem 1 

A 2^'^ preimage-finder (PFi,PF2) which (t, q, e)-breaks PCIHF is given. Algo- 
rithm PFi outputs a string x with n-block. Then, PF 2 takes an oracle R, even- 
tually outputs a string y with m-block where (x, y) is a pair of collision for 
PCIHF. Meanwhile, we construct algorithm P to solve the (A:, g)-standard knap- 
sack problem. N is an integer with fc-bit and a list of ai,...,aq Zpf. At 
first, P runs PF\ to obtain x. Then it runs PF2 with an input N, and calls 
R to answer its random oracle queries. There are two strategies for performing 
the task. We assume that those oracle queries are distinct and only be made on 
block replacement or appends to x. The answers are also distinct and randomly 
distributed. Since, we use pair-chaining technique and according to some restric- 
tions that have been made in PF 2 , a successful collision output y is as follows. 
For i = [to], yi must be either Xi or Zki- Note that Xi, yi, Zi, Wi G {0, 1}** and ki, 
ij G [q\. Let / be the set of indices i, where yi = and I C [to]. 



Strategy A: For i = [n — 1], answering R{xi\\xij^i) = b, where bi G Z^. For 
j = [q — 2{2n — 1)], answering R{wkfi\wkj.f.i) as follows: 



If {wkj = Xj) and (iCfe.+i = %+i), 



^kn + 1 5 

else if (mfcj = Zkfi and = xj+i), 

bi + Ofei , 

b+^ 

else, 



R{zkj I — 



+ ctki H — 

R{ZkA\Zk, + ,) = { 2 + 2 > 



0-k„ , 

2 “fcn+l > 



for 1 < j < n — 1 
for j = n 



for J = 1 
for 1 < j < n 



for j = 1 

for 1 < j < n — 1 

for j = n 

for j > n 



We choose this strategy, if we do assume m > n, meaning |t/| > |a;|. For i = 
[to — 1], let Ii be the set of indices i, such that (yi\\yi+i) = I 2 be the 

set of indices i, such that (yi\\yi+i) = {zkA\xi+i)', and Is be the set of indices 
i, such that (yi||?/i+i) = (zfcj|zfci+i) respectively. Practically, all these set I\, I 2 
and /a are totally disjoint. Therefore, / = {z : i G l 2 U U {z -F 1 : z € /i U I3}. 



n— 1 n— 1 

PCIHF(a:) = '^ R{xA\xi+i) = '^bfimodN) 
2=1 2=1 
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m — 1 

PCIHF(y) = ^ R{y^\\yi+l)= R(y^\\y^+i) + 

iG/iU/2U/3 iG[n-l]-I 

n—l 

Ofc. = PCIHF(a;) + Ofe. {mathopmodN) 

i—1 i£l i£l 

If the finder is successful, then (x, y) will be a collision of PCI FI F. In other words, 

it is equivalent to finding a subset / C [m] such that, ^ = O(mod-/V). This 

i&I 

is a solution to the given standard knapsack problem. 

Strategy B. For i = [n — 2] answering R{xi\\xi+i) = ai, and answering 

Q 

R{xn-i\\xn) = I] ai(modlV). For j = [g - (n - 1)], answering 

i—n—1 

where = Zk^ and G {xj,Zk^+^}, then R{zkj\\wi^^^) = aj+(„_i). We 

choose this strategy, if we assume m < n. Let J is the set of indices j, such that 
yj = Zkj, where J C [m] and kj G [g] for j G [m]. Let J' = {j + (n — 1) : j G 
J} U [n — 2] — J and J" = [g] — J'. 

PCIHF(y) = ^ a,- (mod N) 

jGJ' 

Q 

PCIHF(a:) = ^ a, = ^ a, + ^ aj = PCIHF(y) + ^ aj(mod N) 
i=i j&J' j&J" j&J" 

Similiarly, if the finder is successful, then {x,y) is a collision of PCIHF, and also 
J" yf 0. In other words, it is equivalent to asking us to find a subset J" C [g] 
such that, 

aj = 0 (mod TV). 

jGJ" 

Once again, this is a solution to the given standard knapsack problem in Def- 
inition 2. From the view of PF 2 , these two strategies are identical and totally 
independent. P can successfully finds a collision, if he makes a right choice which 
is only half of the probability of solving the given knapsack problem. 

Appendix B: Proof of Lemma 1 

From Bellare et. al. [4], collision-finder CF, which take (G) (description of par- 
ticular group) and an oracle R, and eventually outputs a pair of distinct strings 
X = xi . . . Xn and y = yi . . . y^, but is collided to each other. We construct a algo- 
rithm P to solve the {Q, g)-balance problem. P runs CF on input (G), answering 
its random oracle queries with the values ai, . . . , in order. We assume oracle 
queries are not repeated. Notice the answers to the oracle queries are uniformly 
and independently distributed over G, as they would be if i? : {0, 1}^^ ^ G is a 
random function. We will let Qi denote the i-th oracle query of CF, namely the 
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one answered by a^, so that R{Qi) = ai, and we let Q = {Qi, . ■ ■ , Qq}- Finally, 
collision-finder outputs a pair of collisions (x,y). We know this means, 

A R{xi\\x^+i) = A R{yj\\yj+i) 

i=[n-l] j = 

Note that the operations are in G. Strings x and y are not neceesarily of the 
same size; that is, m may not be equal to n. We will construct a solution to 
the balance problem from x and y. Let x^ = Xi\\xi+i for t S [n — 1] and for 
Vi = ViWVi+i for * G [m — 1]. We let fx{i) be the (unique) value j & [q — 1] such 
that x' = Qj and let fy{i) be the (unique) value j & [q— 1] such that y' = qj. We 
then let I = {fx{i) ■ i & [rr — 1]} and let J = {fy{i) ■ i € [m— 1]} be, respectively, 
the indices of queries corresponding to x and y. We rewrite the above equation 
as, 

yl a* = yl a,- 

iei jeJ 

We know that x ^ y and so / yf J. Now for i = 1, . . . , g let us define, 

( J-I 

OifiG/nJ 
[ +1 if i G I — J 

Then the fact that I ^ J means that not dl\ . . . ,Wq are 0, this implies that 

q 

A a,' = e 

i=i * 

is equivalent to the defined balance problem. Therefore, the probability that 
we find a solution to the balance problem is exactly that with CF outputs a 
collision, and the time taken can be estimated. 
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Abstract. In this paper we concentrate on finding out multiples of 
primitive polynomials over GF(2). Given any primitive polynomial f{x) 
of degree d, we denote the number of t-nomial multiples {t < 2^* — 1) 
with degree less than 2^* — 1 as Nd,t- We show that {t — l)Nd,t = 

— Nd,t-i — — t + l)Ndd- 2 , with the initial conditions 

Nd ,2 = Nd,i = 0. Moreover, we show that the sum of the degree of all 
the t-nomial multiples of any primitive polynomial is ^^(2^* — l)Nd,t- 
More interestingly we show that, given any primitive polynomial of de- 
gree d, the average degree ^^(2'^ — 1) of its t-nomial multiples with 
degree < 2^* — 2 is equal to the average of maximum of all the distinct 
{t — 1) tuples from 1 to 2'^ — 2. In certain model of Linear Feedback 
Shift Register (LFSR) based cryptosystems, the security of the scheme 
is under threat if the connection polynomial corresponding to the LFSR 
has sparse multiples. We show here that given a primitive polynomial 
of degree d, it is almost guaranteed to get one t-nomial multiple with 
degree < 

Keywords : Primitive Polynomials, Galois Field, Polynomial Multiples, 
Cryptanalysis, Stream Cipher. 



1 Introduction 

Linear Feedback Shift Register (LFSR) is used extensively as pseudorandom bit 
generator in different cryptographic schemes and the connection polynomial of 
the LFSRs are the polynomials over GF(2) (see [3,12,2] for more details). To get 
the maximum cycle length this connection polynomial need to be primitive [9]. 
To resist cryptanalytic attacks, it is important that these primitive polynomials 
should be of high weight and also they should not have sparse multiples [11,1] 
(see also [7] and the references in this paper for current research on cryptanalysis 
in this direction). With this motivation, finding out sparse multiples of primitive 
polynomials has received a lot of attention recently, as evident from [6,4]. We 
here concentrate on this problem and show that sparse multiples of primitive 
polynomials are not hard to find. Our observations raise serious questions on 
the safety of a certain class of LFSR based cryptosystems [12,2]. 



C. Pandu Rangan, C. Ding (Eds.): INDOCRYPT 2001, LNCS 2247, pp. 62-72, 2001. 
@ Springer- Verlag Berlin Heidelberg 2001 
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First we concentrate on an enumeration problem. It is to find out the total 
number of t-nomial multiples of a d-degree primitive polynomial f{x). We look 
into the multiples upto degree 2 *^— 2 , since the exponent of any d-degree primitive 
polynomial is 2"^— 1. In [4], it has been shown that given any primitive polynomial 
of degree d, it has (2'^“^ — 1) trinomial multiples. To generalize this, we here con- 
centrate on a more involved counting problem. We show that given any primitive 

f t — 2 j — 1 ~ (2^ — i-t-1) — 2 

polynomial of degree d, it has exactly Nd,t = 

many t-nomial multiples. Taking the initial conditions = Nd.i = 0, it is 
easy to see that our formula provides Nd^z = 2 '^“^ — 1 . Also we show that the 
sum of the degree of all the t-nomial multiples is ^^(2*^ — l)Ndd - This gives that 
given any primitive polynomial of degree d, the average degree of its t-nomial 
multiples with degree < 2"^ — 2 is ^^(2"^ — 1). This value is also equal to the 
average of maximum of all the distinct (t — 1 ) tuples from 1 to 2 ^^ — 2 . 

In the other direction, it is important to find out the sparse multiples. Thus, 
it is very clear that the main problem is to find out the least degree t-nomial 
multiple of f{x). The simplest algorithm to find such a t-nomial multiple is to 
check all the t-nomials starting from degree d and then go on checking upwards 
until such a multiple is found. The run time of such an exhaustive search algo- 
rithm is output sensitive. In fact, in [6,4], it has been shown that it is possible 
to find a trinomial multiple of degree less than or equal to ^ . However, this 

result is not encouraging since for large d, it will take a long time to get the 
least degree trinomial multiple. On the other hand, if it can be shown that it 
is possible to get a multiple in a much lower range, then the exhaustive search 
algorithm seems reasonable. We use simple statistical assumptions to show that 
it is almost guaranteed to get a t-nomial multiple of degree less than or equal 
to In particular, it is expected to get a trinomial multiple of 

degree less than or equal to 25 +^ which is much better than the expression ^ 
given in [6,4]. 

Let us now present an example for clarity. Consider a randomly chosen 31 
degree primitive polynomial f{x) = x^^ + -I- -I- -I- -I- -I- x^^ -I- 

x^® -I- x^^ -I- x^^ -I- x^® -I- x^^ -I- x^® -I- x^^ -I- 1. Note that this polynomial has 15 
terms. We find the following sparse multiples of /(x). Also in bracket we provide 
the time taken by a simple C language implementation (Unix operating system 
on SUN Enterprise Server E 3000, four 250 MHz CPU, 1 GB RAM). The sparse 
multiples are -I- x®®®^ -I- 1 (1546 sec), x®®®® -I- -I- x®®®^ -I- 1 (2280 sec), 

2,53® -i-x4®7-i-2,292-i-x1®9 - 1-1 (1359 gg(.) and x^®® -|-x®^® -|-x®®® -t-x ®^”^-!- 1 (218 
sec). Our bound of provides the values 185362, 7740, 1722, 734 

for the value of t = 3, 4, 5, 6 respectively. Note that we get sparse multiples at low 
degree in small time. This identifies that the use of moderate degree primitive 
polynomials in cryptographic schemes is not very safe [ 11 , 1 ] as it is easy to get 
sparse multiples. 

A polynomial with t non zero terms, one of them being the constant term is 
called t-nomial, or in other words a polynomial of weight t. By a sparse multiple 
we generally consider t-nomial multiples for t < 9. Note that the roots of a 
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primitive polynomials are the primitive elements of GF{2‘^). Consider a primitive 
polynomial f{x) of degree d and let a be a root of this, i.e., /(a) = 0. Consider 
g{x) is a t-nomial multiple of f{x) having degree < 2'^ — 2. Then it is very clear 
that g{a) = 0. In other words, g{x) = 1 + + . . . + x^*~^ (1 < *i < *2 < 

. . . < it-i < 2'^ — 2) is a t-nomial multiple of /(x), iff . + = 0. 

For more details on finite fields, the reader is referred to [10,9]. 



2 Enumeration of t-nomial Multiples 



In this section first we prove the following important result on the number of 
t-nomial multiples of a degree d primitive polynomial. 



Theorem 1. 



Nd,t = 



( 2 ‘'- 2 \ 
V ) 






Proof. Let us consider a primitive polynomial /(x) of degree d. Any t-nomial 
multiple of /(x) can be written as 1 + x*i + x*=^ + . . . + x**-^ + x**-i for 1 < < 

i 2 < . . . < it -2 < it-i <2^^ — 2. Hence, if we consider a be a root of /(x), then 
1 + 0*1 + + . . . + = a*‘-i. 

Now consider the expression 1 + o®i + + . . . + We can take any 

{t — 2) valued tuple < - , it -2 > out of 2*^ — 2 possible values. This can 

be done in ways. For each such combination < 11 , 12 , ■■■ ,it -2 >, we 

have 1 + 0*1 + o*^ + . . . + o**“H must be one of the elements 0, 1, o^, a*, where, 
k & {ii,i 2 , ■ ■ ■ , it- 2 }, and I G {1, . . . ,2‘^ — 2} — {ii,i 2 , ■ ■ ■ , it- 2 }- Let us consider 
the four cases separately. 

1. We first consider 1 + 0*1 + 0 *^ + . . . + a**~^ = 0. This implies that this 
is a (t — l)-nomial multiple of /(x). Such a situation will occur for each 
of the {t — l)-nomial multiples. This count is thus Nd,t-i- This need to be 

subtracted from 

2. Next we consider, l + o*i + 0 *^ + . . . + 0 **-^ = o*, where k G {ii, 12 , . . . , it- 2 }- 
Consider k = ir- Then, 1 + 0*1 + . . . + o*'’“i + a*’’+i + . . . + a**~^ = 0. This 
implies that this is a (t — 2)-nomial multiple of /(x). Such a situation will 
occur for each of the (t — 2)-nomial multiples. This count is thus Nd,t- 2 - This 

again need to be subtracted from ^ ^ . 

3. Next we consider 1 + 0*1 + 0 *^ + . . . + a**~^ = 1. Then we get 0*1 +o*^ + . . . + 
0 * 1-2 _ 0. The number of cases for which 0 * 1 + 0 *^+. . .+o**“H = 0, where, 1 < 
ii < *2 < • ■ • < it -2 < it-i < 2‘^ — 2, must be subtracted from the expression 

So we need to count the cases for which 0*1 + o*^ + . . . + o**-ii = 0. 

Now consider the expression o*(l + o-i* + o^ + . . . + for i = 1 to 

2*^ — 2, where 1 + x^* + x^'^ + . . . + x^*~^ is a (t — 2)-nomial multiple of /(x). 
Out of these values of i, we will get {t — 3) values for which jp + i = 2^^ — 1, 
1 < p < t — 5. So these many values must be subtracted from the counting 
which gives us {{2'^ — 2) — (t — 3)) = 2*^ — t + 1 different cases. This is because 
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4. 



we like to count the cases where + . . . + = 0 and none of the 

can be 1, 1 < g < t — 2. 

The terms + +a^^ + . . . + for i = 1 to 2^^ — 2, will produce (t— 3) 

number of {t — 2)-nomial multiples of the form 1 + + . . . + 

Also 1 + x-^i + x^2 + . . . + X'’*-^) need to be counted here as it by itself is 
a (t — 2)-nomial multiple. Thus whenever we start from any (t — 2)-nomial 
multiple, it includes the case of ((t — 3) + 1) = {t — 2) number of {t — 2)- 
nomial multiples. Hence, if we choose each of the (t — 2)-nomial from the 
total Nd,t -2 choices, ultimately each will be repeated {t — 2) times. So total 
number of cases for which for which + . . . + = 0, where, 

1 < H < *2 < • ■ • < b -2 < it-i < 2^^ — 2 is — t+ l)A^d.i- 2 - This need 



to be subtracted from 

Thus we get the t-nomial count — Nd^-i — Nd ^-2 — — t + 



l)Ndd- 2 - In all these cases, it is guaranteed that 1 + + . . . + = 

cr**-! = where, I G {1, ... ,2'^ — 2} — ■ ■ ■ , it- 2 }- Now we can bring 

a* in the left hand side by shifting any of the a”s in the right hand side, 
i G {ii,i 2 , . . . ,it- 2 }- This means that each of the f-nomials are counted 
{t — 1) times. 



Thus we get that Nd^ = 






□ 



It is not clear how to solve the recurrence relation of Theorem 1 for any t. 
However, we solve it for some low values of t as it is important to analyse the 
sparse multiple. We list the values here. 



Nd,3 = 


A(2<^ 


-2) 












Nd,i = 


A(2<^ 


-2)(2‘^ 


-4) 










Nd,5 = 


i(2" 


-2)(2<^ 


-4)(2'^ 


-8) 








Nd,e = 


|(2‘^ 


-2)(2‘^ 


-4) (2'' 


-6)(2''- 


8) 






Nd,7 = 




-2)(2‘^ 


-4)(2'^ 


-6)(22<i- 


-15-2^ 


+ 71) 




Nd,s = 


^(2" 


-2)(2‘^ 


-4)(2'^ 


-6)(2'^- 


8)(22‘^ - 


-15-2^ 


+ 71) 


Nd,9 = 




-2)(2‘^ 


-4)(2'^ 


-6)(2'^- 


8)(2^- 


12) (2^'' 


-12 + 


Nd,io = 


li(2‘' 


-2)(2‘^ 


-4)(2'^ 


-6)(2'^- 


8)(2^- 


10)(2"*- 


- 12)(2^ 



The above expressions show that it will not be easy to get a generalized solution 
for any t. It will be an interesting exercise to find this out. Next we present the 
following result. 

Theorem 2. % = ■ 



Proof. It is known that for any primitive element a, l + a + a^ + . . . + a“^ ^ = 0, 

i.e., 1 + X + x^ + . . . + x^ is the only (2^ — l)-nomial multiple of any primitive 
polynomial /(x) of degree d. Now we calculate the number of (2"^ — 1 — t)-nomial 
multiples in terms of t-nomial multiples. Whenever a*^ + . . .+«** = 0 for 1 < A < 
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i 2 < ■ ■ ■ < it -2 < h-i < 2^^ — 2, coupling this with 1 + a + + . . . + ^ = 0, 

we will get a (2*^ — 1 — t)-nomial multiple. Similar to item 3 of the proof of 
Theorem 1, we find that q;*^ + . . . + a** = 0 for 2 cases. (Note that in 

item 3 of the proof of Theorem 1, we have analysed the result for {t — 2) terms, 
which is t terms here). So, = 2 Nd^f □ 

The above theorem can be used to get the number of (2‘^ — 1 — t)-nomial 
multiples from t-nomial multiples. We already know that Nd^i = Nd ^2 = 0. This 
immediately gives that Nd^ 2<^-2 = = 0- Also in the proof of the above 

theorem we have noted that Nd^ 2 <^-i = 1. We have found by computer program 
that the value of Nd^ increases strictly from t = 3 upto t = 2‘^~^ and then it 
starts decreasing strictly till t = 2‘^ — 4. Also for 3 < t < 2*^ — 4, all the values 
of Ndd are positive integers. We have checked this for d = 4, 5, 6 and could not 
check further since the count values are extremely large. However, we get the 
following two results in this direction. 

Corollary 1. For t < Nd,t > Nd^-i- 

Proof. We need to get the value of t, such that, Nd^ = {(^^^ 2 '^ ~ — 

jE:^{ 2 '^-t+l)Ndd- 2 )/it-l) > This gives, [^t- 2 ') > tA^d.i-i + - 

(Id) 

t + l)Ndd- 2 - Consider the case when we overestimate Nd^-i as ^ ^ and 

Nd,t -2 as ^_3 ^ and even then, Nd^ > From this we get, 1 > 2 <i-t+i + 

2 d-t +2 ■ gives the bound for t. □ 

Corollary 2. For 0 < i < 2’^~^ — 4, Nd^ 2 <^-i+i > Nd^ 2 <^-i-i-i- 

Proof. From Theorem 2, we have ~ ^ 2 <i-il 2 ^-i-~i' ■ Then the proof 

follows from 2‘^~^ + i > 2‘^ — 1 — 2‘^~^ — i. □ 

Next we prove an important result on the sum of the degree of all the t-nomial 
multiples for any primitive polynomial f(x). 

Theorem 3. Given any primitive polynomial of degree d, the sum of the degree 
of all its t-nomial multiples is — l)Ndd- 

Proof. Consider each t-nomial multiple of degree dr, where 1 < r < Nd^- Now 
multiply each t-nomial by x* for 1 < i < 2'^—2—dr. If we consider a as a primitive 
root of f{x), then for each value oft, 1 < t < 2^^ — 2 — dr, we will get expressions 
of the form -|- . . . -I- a** =0. Thus, each t-nomial will provide 2'^ — 2 — dr such 
expressions. Hence considering all the t-nomials we will get (2^^ — 2 — dr) 

such expressions and all such expressions are distinct. Similar to the proof of 
Theorem 2, this gives the count of all (2^^ — 1 — t)-nomial multiples, which we 
denote as Moreover, from Theorem 2, Nd^ 2 <‘-i-t = ^ ~/~* A^d,t, be., 

(2" - 2 - dr) = ^^Nd,t. Hence dr = (2^ - 2 - ^^)Nd,t = 

*-^{2‘^-l)Nd,f □ 
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From the above theorem we get that the average degree of a t-nomial multiple 
is ^^(2^ — l)Nd^t divided by Nd^, i-e., ^(2"^ — 1). This gives that plenty of 
t-nomial multiples are available at higher degree, whereas there are very few at 
the lower part. 



3 On Least Degree t-nomials 

A very simple algorithm to find the least degree t-nomial multiple of a degree d 
primitive polynomial f{x) is as follows. 

Algorithm Find-t-Nomial- Multiple. 

For i = d to 2^ — 2, 

(a) Consider all possible t-nomial g{x) of degree i. 

(b) If f{x) divides g{x) then report this t-nomial and terminate. 

The time complexity of this algorithm becomes reasonable only when we can 
expect that we will get such a t-nomial multiple of degree much less than 2'^ — 2 
for small t. The requirement of small t is due to the fact that getting sparse 
multiple of a primitive polynomial can be used for cryptanalytic techniques [11]. 
If we consider that the least degree t nomial multiple has the value Cd^i then the 

algorithm will run for i = d to i = Cd,t- In each step we have to consider 

tuples. This is because we consider the t-nomial multiple 1 + + . . . + 

where 1 < < . . . < it -2 < it-i < 2‘^ — 2. Now we have the value 1 and 

the value it~i = i fixed for the z-th step. Thus we need to check whether f{x) 
divides g{x) for (t- 2 ) different t-nomials in total. We like to estimate the 
value of Cdd- 

Once a primitive polynomial f(x) of degree d is specified, it is very clear 
that /(x) has Nd^ many t-nomial multiples. Note that any t-nomial multiple 
1 + x*^ + x*^ + . . . + x**-^ + x**-i can be interpreted as the {t — l)-tuple < 
zi, Z 2 , . . . , it- 2 , it-i >■ We have observed that by fixing /(x), if we enumerate all 
the Ndd different (t — 1) tuples, then the distribution of the tuples seems random. 
To analyse the degree of these t-nomial multiples, we consider the random variate 
X which is max(zi, Z 2 , . . . ,it- 2 , it-i), where 1 + x^^ + x*^ + . . . + x*‘~^ + x**-^ is 
a t-nomial multiple of /(x). Also the value of max(zi,Z 2 , . . . ,zt_ 2 ,zt-i) is Zt-i, 
since we consider the tuples as ordered ones. Let us look at the mean value of 
the distribution of X. From Theorem 3, it is clear that the average degree of 
a t-nomial multiple is 1^(2"^ — l)Ndd divided by Nd^- Thus we get the mean 
value A = 1^(2"* -1). 

This mean value X clearly identifies that the <-nomials are dense at higher 
degree and there are very few at the lower degree. On the other hand, for crypt- 
analysis, we are not interested in getting all the t-nomial multiples. We only 
concentrate on the least degree t-nomial multiple g{x) of /(x). Thus our moti- 
vation is to get an estimate on the degree of g{x). This is not clear from the 
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distribution of X and that is why we like to look into another distribution which 
seems to be close to the distribution of X. 

Let us consider all the {t— l)-tuples < zi, i 2 , . . . , Zt_ 2 , b-i > in the range 1 to 

2 —2. There are I J such tuples. We consider the tuples in ordered form such 

that 1 < zi < Z 2 < . . . < it -2 < it-i < 2‘^—2. Now consider the random variate Y 
which is max(zi, Z 2 , . . . , it- 2 , it-i), where < zi, Z 2 , . . . , it- 2 , it-i > is any {t — 1)- 
tuple from the values 1 to 2"^ — 2. Also the value of max(zi, Z 2 , . . . , it- 2 , it-i) is 
it-i as we consider the tuples as ordered ones. Note that there is only 1 tuple with 
maximum value {t — 1). There are tnples with maximum value t, (^t- 2 ^ 

tuples with maximum value t+1 and so on. Thus, the mean of this distribution 

(t— 1)^^ ^ “ ^(2^^ — 1). Note that this is equal to the value of X. 

Thus we have the following theorem. 



Theorem 4. Given any primitive polynomial f{x) of degree d, the average de- 
gree of its t-nomial multiples with degree < 2^ — 2 is equal to the average of 
maximum of all the distinct {t — 1) tuples from 1 to 2‘^ — 2. 



With the result of the above theorem, With the result of the above theorem, 
we assume that the distributions X, Y are indistinguishable. Consider Nd^t tuples 
which represent the actual t-nomial multiples of f{x). Since the distribution 
of these tuples seems random, if we select any tuple, the probability that the 
tuple will represent a genuine t-nomial multiple is Nd^ / ^ ^ • Thus we can 

estimate the expected number of t-nomials with degree less than or equal to c 
as (^t-i)^d,t/(^\-i'^- At this point let us summarize our assumption for this 
estimate. 



Assumption RandomEstimate: Let f{x) he a primitive polynomial of degree d. 
Consider the set of all t-nomial multiples of f{x) which are of the form l-\-x'^^-\- 
-I- ... -I- -I- for 1 < zi < Z 2 < . . . < it -2 < it-i <2‘^ — 2. Interpret 

each t-nomial multiple as an ordered ft — 1) tuple < zi,Z 2 , . . • ,it- 2 ,it-i >■ Note 
that the degree of this t-nomial is it-i- Nd^ic) denotes the number of t-nomial 
multiples which have the degree at most c. Now we expect that Ndd(c)/Ndd ~ 



(. 



2“-2 

i-1 



Given some t we like to get an estimate of c, such that 

^d,t / ~ 1- This value of c will give an expected value of Cd,t, the 
degree of the least degree t-nomial multiple of f{x). 

Next we present some experimental results in support of our assumption. We 
consider the trinomial multiples for this. In the following three tables we consider 
the case for degree 8, 9 and 10. In the first row A we provide some intervals. 
These intervals represent the degree of the trinomial multiples. In the second 
row B we provide the expected number of trinomial multiples less than or equal 
to the degree given in row A. As example, from the Table 1 we get that there are 
estimated 2.05 trinomial multiples at degree less than or equal to 32, 4.1 trinomial 
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multiples in the range of degree 32 < d < 57, 6.15 trinomial multiples in the 
range of degree 57 < d < 82, etc. Note that these values are calculated from our 
assumption RandomEstimate and that is why these values are fractional. In the 
third row C, we present the result corresponding to a randomly chosen primitive 
polynomial. As example, from the Table 1 we get that there are 2 trinomial 
multiples at degree less than or equal to 32, 5 trinomial multiples in the range 
of degree 32 < d < 57, 5 trinomial multiples in the range of degree 57 < d < 82, 
etc. In the fourth row D, we present the result corresponding to all the primitive 
polynomials. That is for degree 8, we consider all the 16 primitive polynomials 
and check the result in aggregate. As example, from the Table 1 we get that 
there are 32 trinomial multiples at degree less than or equal to 32, 66 trinomial 
multiples in the range of degree 32 < d < 57, 116 trinomial multiples in the 
range of degree 57 < d < 82, etc corresponding to all the primitive polynomials 
of degree 8. We normalize the result of the fourth row D in the fifth row E. That 
is in Table 1, we divide the entries of the fourth row by 16 (total number of 
primitive polynomials of degree 8) to get the values in the fifth row E. 

From the data in these three tables for the degree 8, 9 and 10, it is clear that 
our assumption is supported by the empirical results. With this observation we 
land into the following result. 

Theorem 5. Given a primitive polynomial f{x) of degree d, under the assump- 
tion RandomEstimate, there exists a t-nomial multiple g{x) of f{x) such that 
degree of g{x) is less than or equal to 



Table 1. Results for degree 8 primitive polynomials. 



A 


32 


57 


82 


107 


132 


157 


182 


207 


232 


254 


Total 


B 


2.05 


4.1 


6.15 


9.22 


11.25 


14.35 


17.85 


18.48 


21.6 


21.95 


127 


C 


2 


5 


5 


11 


11 


12 


20 


20 


20 


21 


127 


D 


32 


66 


116 


146 


182 


228 


284 


288 


348 


342 


2032 


E 


2 


4.12 


7.25 


9.12 


11.38 


14.25 


17.75 


18 


21.75 


21.38 


127 



Table 2. Results for degree 9 primitive polynomials. 



A 


60 


no 


160 


210 


260 


310 


360 


410 


460 


510 


Total 


B 


3.05 


9.08 


13.1 


18.15 


23.19 


27.22 


32.26 


38.3 


43.07 


47.58 


255 


C 


3 


8 


12 


23 


24 


25 


32 


38 


43 


47 


255 


D 


166 


398 


629 


880 


1116 


1337 


1566 


1818 


2032 


2298 


12240 


E 


3.46 


8.29 


13.1 


18.33 


23.27 


27.85 


32.62 


37.87 


42.34 


47.87 


255 



Table 3. Results for degree 10 primitive polynomials. 



A 


111 


212 


313 


414 


515 


616 


717 


818 


919 


1022 


Total 


B 


6.02 


15.05 


26.1 


36.14 


46.18 


55.22 


66.26 


76.3 


85.34 


98.39 


511 


C 


5 


16 


26 


35 


49 


54 


65 


77 


86 


98 


511 


D 


360 


938 


1566 


2142 


2732 


3386 


3962 


4544 


5168 


5862 


30660 


E 


6 


15.63 


26.12 


35.7 


45.53 


56.43 


66.03 


75.73 


86.13 


97.7 


511 
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Proof. From the assumption RandomEstimate, we need Nd^t/ ap- 

proximately equal to 1. Let us consider the approximation as follows. 

~ (i-i) - !))• In this step we have 

approximated Nd,t as — Note that 

(2‘^-2)l 

1 NN _ 1 (t-l)l(e-t + l)! (t- 2 )l( 2 ‘l-t)! _ 1 (c!) _ 1 c(c- 1) . . . (c-t+1) 1 ^ 

“ 2 ( 2 <i- 2 )! t-1 ~ 2 (c-t+l)'.(t-l)'.(2‘‘-t) ~ 2 (t-l)(t-2)...l 2‘‘-t ~ 

(t-l)!(2<i-t-l)! 

Here we underestimate the expression. Now we need the expression 
to be approximately equal to 1. This will give the estimate of Cd,t- 
Thus, Cd,t « 2(f - 1)2^^ = □ 



We now discuss the significance of the above theorem. In [6,4] it has been 
shown that given any primitive polynomial /(x), there exists a trinomial multiple 
of f{x) with degree < Our result states that it is almost guaranteed to get 
a trinomial multiple with degree < 25+^. Our result is much sharper than the 
result of [6,4]. 

Let us also refer to a result on 4-nomial multiples of a primitive polyno- 
mial [11, Page 174]. It states that given a primitive polynomial f{x) of degree d, 
it is possible to get a 4-nomial multiple of f{x) having degree less than 2s with 
high probability. This result is not exactly true. By computer experiment we ob- 
serve that for a randomly chosen primitive polynomial /(x), in most of the times 
/(x) does not have a 4-nomial multiple with degree less than 2« . As an example 
we once again repeat our result presented in the introduction. Given /(x) = 
x^^ -I- x^° -I- x^® -I- X®® -I- x®^ -I- x^® -I- x®"^ -I- x^® -I- x®^ -I- x®^ -I- x^® -I- x^"* -I- x^® -I- x^^ -I- 1, 
it has the minimum degree 4-nomial multiple x®®®® -|-x^®®^ -I- 1. Note that 

3286 is much larger than 2* = 2t = 215 for d = 31. On the other hand, our 
estimate 2*^'''^°®^!*“^)+^ = 23 +*°S 2 3-i-i _ 23 -i-iog 2 3-i-i _ 23+2-585 jg jj^uch more 
reasonable. Our estimate gives the value 7740 for d = 31. 

We are generally interested about the sparse multiples. So even if we consider 
the value of t upto 9, it is clear that the estimate for the minimum degree of 
t-nomial multiple is as log 2 (t — 1) = log 2 8 = 3. Thus we propose that 

in practical systems the primitive polynomials of degree at least 128 should be 
used. Even in such a case, it is expected to get a 9-nomial multiple of degree 2®® 
and a 5-nomial multiple of degree 2®®. 

The existing systems where LFSRs of lower size, i.e., say 64 are being used, 
the systems are susceptible to cryptanalytic attacks. For d = 64, we can expect 
to get a 9-nomial multiple at degree as low as 2®^ = 4096. It is known that if there 
is a primitive polynomial /(x) of degree d which has a moderate degree (> d) 
t-nomial multiple g{x), then the recurrence relation satisfied by /(x) will also 
be satisfied by g{x). Thus we can very well exploit the attack proposed in [11] 
by choosing the recurrence relation induced by g(x). Given our observation, 
whatever be the weight of the primitive polynomial /(x) (it does not matter 
whether it is of high or low weight as we have a low weight multiple), we can 
attack the system using g{x). For a 64-degree primitive polynomial /(x) we can 
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expect to get a 9-nomial multiple of degree 4096. Now if it is possible to get 
around 2 x 4096 = 8192 ciphertext bits, it is feasible to estimate the key from 
the recurrence relation induced by g{x) [11]. Getting 8192 ciphertext bits is a 
feasible proposition. Thus the current systems using small length LFSRs should 
be under scrutiny with our results. 

Our result in Theorem 5 can be used to calculate the expected running 
time of the Algorithm Find-t-Nomial-Multiple at the beginning of this section. 
Considering our estimate of Theorem 5, we find that the value of Cd,t, in the 
discussion for complexity, should be estimated as Thus we need 

to check whether f{x) divides g{x) for Y^iJd (i-2) ~ (*-2) 

different f-nomials in total. Note that the algorithm can be parallelized easily 
using more than one machines for faster solution. 

Next we present some more experimental results to support Theorem 5. We 
consider the primitive polynomials of degree 8 to 16 and present the results as 
follows. For each degree d we provide how many primitive polynomials of that 
degree does not have a t-nomial multiple having degree < given 

in Theorem 5. We consider trinomials and 4-nomials. In the first column we 



present the degree of the primitive polynomial. In the second column we present 
the total number of primitive polynomials of degree d, which is P]’ 

the third column we provide the estimated value of Cd ,3 from Theorem 5. The 
fourth column A provides the number of primitive polynomials for which the 
least degree trinomial multiples have degree > 0^,3. Similarly in the fifth column 
we provide the estimated value of 0^,4 and the sixth column B provides the 
number of primitive polynomials for which the least degree 4-nomial multiples 
have degree > Cd, 4 - 

Table 4 strongly supports the estimation of Theorem 5. However, it is in- 
teresting to see that there are indeed a few primitive polynomials which do not 
have minimum degree t-nomials in the range of estimated degree in Theorem 5. 
These primitive polynomials are more suitable for cryptographic purposes. In 
fact this motivates us to present the following criteria in selection of primitive 
polynomials to be used as LFSR connection polynomials. Given a set of prim- 
itive polynomials of degree d and weight w, we need to choose the one out of 
those whose least degree t-nomial multiple has maximum degree for low values of 
t. Currently the only available option to find out such a primitive polynomial is 
exhaustive search technique. 

As a passing remark, we also like to mention the problem of finding Zech’s 
logarithm. Given a primitive element a € GF{2‘^), we can write l-|-a" = 

Given n, calculation of Z(n) is called the problem of finding Zech’s logarithm [10, 
Page 91, Volume 1]. This problem (see [5,8] and the references in these papers) 
is related with the problem of getting the trinomial multiples of a primitive 
polynomial. Note that we have the result that it is expected to get a trinomial 
multiple of any primitive polynomial having degree < 2 2+^. This gives that 
given a primitive element a, it is expected to get an < n,Z(ji) > pair with 
max(n, Z(n)) < 25+^. 
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Table 4. Experimental results with respect to Theorem 5. 



degree d 


</>(2"-l) 

d 


Estimated Cd,s 


A 


Estimated Cd,i 


B 


8 


16 


64 


0 


38 


0 


9 


48 


90 


0 


48 


0 


10 


60 


128 


0 


60 


0 


11 


176 


181 


0 


76 


0 


12 


144 


256 


0 


96 


0 


13 


630 


362 


0 


120 


0 


14 


756 


512 


0 


153 


0 


15 


1800 


724 


6 


192 


0 


16 


2048 


1024 


13 


241 


0 
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Abstract. XTR cryptosystem makes use of an irreducible polynomial 
F{c, x) = — cx^ + c?x — 1 over a finite field IFj, 2 . In this paper, we 

develop a new method to generate such an irreducible polynomial. Our 
method requires only computations of Jacobi symbols and thus improves 
those given [1], [2] and [3]. 



1 Introduction 

In a series of papers [I], [2], [3] and [4], A.K. Lenstra and E.R. Verheul intro- 
duced and developed a new cryptosystem so called XTR public key system. Let 
F{c,x) = — cx^ + d’x — 1 be an irreducible polynomial in IFp 2 [a;] for some 

element c € IFp 2 . Then a root h of F{c,x) is in and satisfies = 1 

([!]). Thus h generates a subgroup of F*e of order dividing —p+1. For each 
integer k, put = Tr{h^), where Tr is the trace from F^e to F^ 2 . The idea of 
XTR (Efficient and Compact Subgroup Trace Representation) is that one can 
make use of {ck] instead of the subgroup < h >= {h^} in implementing vari- 
ous cryptosystems such as Diffie-Hellman key agreement protocol and Elgamal 
system. Note that {ck} is in Fp 2 , while < h >= {h^} is in F^e. Thus XTR sys- 
tem has the obvious advantages in both computation and communication (XTR 
reduces the cost to |) with maintaining the same security level as one works 
with {h^} ([!]). Considering the size of p which is supposed to be as large as 
I X 1024 « 170 bits, saving | is huge. 

One of the problems in running XTR system is the generation of c which 
guarantees the irreducibility of F{c,x) = x^ — cx^ + d’x — 1. For a randomly 
chosen c in F^ 2 , the probability for F{c,x) to be irreducible is | . In [1] , [2] and [3] , 
several algorithms of irreducibility test of F(c, x) are given. The best algorithm 
for irreducibility test known so far requires about l. 8 log 2 P multiplications in Fp 
([3]). So one needs expectedly about 2.7 log 2 P multiplications to initiate XTR 
system. There is another improvement in finding irreducible polynomials F(c, x). 
Namely, in [2], it is proved that F(c, x) is always irreducible for a certain special 
value c when p = 2 or 5 mod 9 and 3 mod 4. 

The purpose of this paper is to generate irreducible polynomials F(c,x) in 
Fp 2 [x] more efficiently. In section 2, we will show that they can be derived from 

* This paper was supported by the Basic Research Institute Program, Korea Research 
Foundation, 2000-015-DP0006. 
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irreducible polynomials in lFp[a;]. Fix a quadratic nonresidue t in IFp and suppose 
an irreducible polynomial in IFp[x] of the form — tax^ + bx + a is given. Then 
we will show that F{c,x) = x^ — cx^ + d’x — 1 is always irreducible, where 
c = + tlqiyci! with = t. Therefore to generate an irreducible polynomial 

x^ — cx'^ + c^x — 1 in lFp 2 [x] , start with an irreducible polynomial x^ — tax^ + bx+a 
in lFp[x] and get the corresponding one in lFp 2 [x] . Of course, not every irreducible 
polynomial in lFp[x] is of the form x^ — atx^ + bx + a. However, note that for a 
given irreducible polynomial H{x) = x^ + Ix^ + mx + n in IFp[x] with Imn yf 0, 
H{x) is of the form x^ — tax'^ + bx + a for some quadratic nonresidue t if and 
only if — - is a quadratic nonresidue. So the probability for H{x) to be of the 
form x^ — tax^ + + a is Therefore once we have an irreducible polynomial 

H{x) in IFp[a;], by considering H(x + k) for fc = 0, ±1, ±2, • • •, we can find an 
irreducible polynomial of the form x^ — tax^ + bx + ava IFp[a;] (and thus F{c, x) 
also) before long since the probability that Fl{x + k) cannot produce F(c,x) is 

1 for each k. In this way, we can find plenty of irreducible polynomials F{c,x). 

Thus our problem is narrowed down how to create irreducible cubic polyno- 
mials in lFp[a:]. This is handled in section 3. In section 3, we explain how to find 
irreducible cubic polynomials in lFp[a;] by examining several examples. In exam- 
ple 1, we find an irreducible polynomial F(c, x) when p = 2 or 5 mod 9. This case 
was studied in [2], where a different irreducible polynomial is constructed by a 
different method. In the next two examples, we produce irreducible polynomials 
F(c, x) for different moduli, namely the case p ^ ±1 mod 7 in example 2 and the 
case p = ±2 or ±3 or ±4 or ±6 mod 13 in example 3. Thus by looking at p mod 
9, or mod 7, or mod 13, we get an irreducible polynomial F(c,x) immediately. 
If we are in such an unfortunate case that p ^ 2 or 5 mod 9 and p = ±1 mod 7 
and p = ±1 or ±5 mod 13, another appropriate modulus, for instance mod 19, 
would yield an irreducible polynomial F(c,x). 

2 Generation of i^(c, a;) 

For a given prime p, which is supposed to be as large as | x 1024 « 170 bits 
for applications to cryptosystem, fix a quadratic nonresidue t in Fp. Let G{x) = 
x^ — tax^ + bx + a he & polynomial in Fp[a;] with a, 5 G Fp. Let /3i, (32 and (3^ 
be the roots of G(x), so that 

G{x) = x^ — tax^ + bx + a = {x — (3i){x — ( 32 ){x — (3^) . 

Let a be an element in Fp 2 such that = t. Then {1, a} is a basis of Fp 2 over 
Fp. Since Pi + P 2 + (33 = ta and P 1 P 2 P 3 = —a, we have (1 -I- Pio){l + /? 2 a)(l -I- 

^ 30 ) € Fp. 

Put 

F(x) = (x-(l + Piaf'-^)(x - (1 + P 2 af'-^)(x - (1 + • 

Since (1 -I- Pio){l + P 20 i ){3 + ^ 30 ) is in Fp, the constant term of F{x) is —(1 -I- 
/3ia)p'-i(l -k P 20 tY ^~^{3 + /33a)P'-i = -1. Put 

c = (1 + + (1 + + (1 + • 
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We claim that the coefficient of x of F{x) equals c^. Note that = aP = 
(a^)^ a = a = —a. Thus 

= (1 - + (1 - fiPaY"-^ + (1 - dlaY"-^ 

\ + a \ + Pi 2 a l + /3fa 
\ — (3\a \ 1 — /^gO; 

On the other hand, the coefficient of x of F{x) is 

(1 + /3ia)P'-i(l + P2ay"-^ + (1 + P2CcY"-^{1 + 

-\-(l (3\aY ^(l + Z^ao;)^ ^ 

_ 1 1 1 
“ (l + /3ia)p"-i (l + /32a)P"-i 
_ (l + /?ia) ^ (1 + /32Q;) (l + idacr) 

” (l-/3f«) (1 - fit a) Y-^ta) ■ 

There are three cases to consider: 

(i) all /?i’s are in Fp, in which case (3f = f3i, 

(ii) one of j3i, say j3\, is in Fp, and the other two are in Fp 2 , in which case 
fY = j3i and for i = 2, 3, /3f = /3f = f3i and /3f = /3f , 

(iii) all (iiS are in FpS, in which case Pf = Pi, Pf = /3f and they are conjugate 
over Fp, so that we may assume P^ = P 2 , P 2 = Pz and P^ = Pi. 

In any case, one can check that the coefficient of x of F{x) equals as desired. 
Therefore F{x) is a polynomial of the form F(x) = x^ — cx^ + c^x — 1. 

Next we claim that 

(a) c € Fp 2 , 

(b) G{x) is irreducible over Fp if and only if F(x) is irreducible over Fp 2 , 

(c) If G{x) is irreducible over Fp, then tb Y —1 and c = 

(a) follows easily from the observation that = c. To prove (b), note that if 
G{x) is irreducible, then we are in situation (iii). In this case the roots of F{x) 
are conjugates over Fp 2 , thus F(x) is irreducible. On the other hand, if G{x) is 
reducible, we are in the case (i) or (ii). Then the roots of F{x) lie in Fp 2 , so F{x) 
is reducible. Hence we obtain (b). Finally we examine (c). If G{x) is irreducible, 
then tb Y —1, for otherwise, ta would be a root of G{x). To get the formula for 
c, we expand the expression for c: 

c = (1 + /3ia)P'-i + (1 + /? 2 a)P'-^ + (1 + PzaY^-^ 

^ 1 - /3f g I- P 2 a I- Pi a 

1 -|- PiCX 1 -|- ^2^ 1 “1“ 

1 — f3ia 1 — /? 2 « 1 — /? 3 « 

1 + PiO. 1 + 1 + PsO. 
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_ 3 — (/3i/?2 + /32/?3 + + {(/?! + /?2 + /3a) ~ 

1 + {P 1 P 2 + /?2/33 + PlPs)^ 

3 — bt + Aata 
1 + ht 

To summarize, we have the following theorem: 

Theorem 1. Let t he a quadratic nonresidue mod p and G{x) he an irreducible 
polynomial in IFp[x] of the form G{x) = — atx^ + bx + a. Then F{c,x) = 

x^ — cx"^ + c^x — 1 with c = is an irreducible polynomial in Fp 2 [x], 

where = t. 



Remark 1. Let H (x) = x^ + Ix"^ + mx + n be an irreducible polynomial in Fp[x] 
with Imn 0. Then H(x) is of the form G(x) = x^ — tax"^ + bx + a for some 
quadratic nonresidue t if and only if — ^ is a quadratic nonresidue, which can be 

tested by computing the Jacobi symbol So the probability for H{x) to be 

of the form x^ — tax"^ + bx + a is Hence, once we have an irreducible polynomial 

H{x), by considering H{x + k) for fc = 0, ±1, ±2, • • •, we obtain an irreducible 
polynomial of the form x^ — tax^ + bx + a before long, since the probability that 
H{x + k) is not of the desired form is ^ for each k. 

3 Examples 

Example 1. p = 2 or 5 mod 9 

Let C = Cq be a primitive 9th root of 1. Then Irr(C,IFp) = x^ + x'^ + 1, Fp6 = 
Fp(C) and FpS = Fp(C + Now we compute the irreducible polynomial for 
C + C~^ over Fp. Note that the conjugates of C+C~^ over Fp are + 

and . Since p = 2 or 5 mod 9, they are f and C"* + 

Since 



(c+r') + (c^ + r") + (c" + r") = o, 

( c + r')(c" + C-") + (c^ + r")(c" + c-") + (c + r')(c" + r") = -3, 
and (c+r')(c" + r")(c" + r") = -i, 

we get Irr{f + ^~^,Fp) = a;^ — 3x + 1. Let 

H{x) = 7rr(3(C + C~^) ~ 1) B^^p) = x^ + 3x^ — 24x + 1 . 

Since p = 2 mod 3, = ~1- Thus ff(x) is of form x^ — atx"^ + bx + a with 

a = 1, 6 = — 24 and t = —3 which is a quadratic nonresidue. Therefore the 
corresponding polynomial F{c,x) = x^ — cx^ + c^x — 1 with c = — is 
irreducible over Fp 2 , where o? = —3. 
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Example 2. p ^ ±1 mod 7 

Let C = Ct be a primitive 7th root of 1. If p = 3 or 5 mod 7, then IFp(^) = FpS . 
So Fp(^ + = Fp3. If p = 2 or 4 mod 7, then Fp(^) = FpS. Note that 

Fp(C + C~^) = in this case, too. Thus conjugates of ^ over Fp are 

C + and C,'^ + Note that 

(c + r') + (c" + r^) + (c" + r") = -i, 

( c + r ')(c^ + r") + (c^ + r")(c" + r") + (c + c-')(c" + r") = -2, 
and (c + r')(c^ + r")(c" + r") = i • 

Therefore Irr{Q + C“^,Fp) = — 2x — I. Let 

iL(x) = Irr(^ + ^~^,Fp) = — 2x — I . 

Suppose that p= 3 mod 4, and consider 

H{x + 2) = Jrr(C + C”^ - 2, Fp) = x^ + 7x^ + I4x + 7 . 

Since p = 3 mod 4, —I is a quadratic nonresidue mod p. Thus H{x + 2) is 
an irreducible polynomial of the form G(x) = x^ — atx^ + bx + a with a = 7, 
& = 14 and t = —1. Hence the polynomial F{c,x) = x^ — cx^ + d'x — 1 with 
c=— j| + ||ais irreducible over Fp 2 , where = —1. 

Example 3. p= ±2 or ±3 or ±4 or ±6 mod 13 

Let C = Ci3 be a primitive 13th root of 1. As in example 2, one can check that 
Fp3 = F(^ + (^“^ + + The conjugates of 71 = C + C~^ + C^ + C~^ over Fp 

are 71 = C+C■^ + C^ + C■^ 72 = C^ + C”" + C^+C”^ and 73 = C^ + C”^+C® + C”®- 
Note that 



7i + 72 + 73 = -1, 

7172 + 7273 + 7173 = - 4 , 
and 717273 = -1 • 

Therefore, 7 rr( 7 i,Fp) = x^ + x^ — 4 x + 1 . Let 

iL(x) = Irr (71, Fp) = x^ + x^ — 4 x + 1 . 

For a G Fp, we have 

H{x + a) = Irr(7i — a) = x^ + ( 3 a + l)x^ + ( 3 a^ + 2 a — 4 )x + a^ + a^ — 4 a+ 1 . 
In particular, 

H{x — 1 ) = x^ — 2 x^ — 3 x + 5 and iL(x + 3 ) = x^ + lOx^ + 29 x + 25 . 
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Thus, if j = ~1) we make use of the first polynomial with a = 5, b = —3 
and t = I to get an irreducible polynomial F(c, x). In this case, c = —21 — 40a, 
where o? = While if = 1, we use ll(x + 3) = + lOx^ + 29x + 25. In 

this case, a = 25, 6 = 29 and t = — |. Then we get an irreducible polynomial 
F{c,x) with c= — H + where a'^ = — 
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Abstract. The work investigates cheating prevention in secret sharing. 
It is argued that cheating is immune against cheating if the cheaters 
gain no advantage over honest participants by submitting invalid shares 
to the combiner. This work addresses the case when shares and the secret 
are taken from GF{p^). Two models are considered. The first one exam- 
ines the case when cheaters consistently submit always invalid shares. 
The second model deals with cheaters who submit a mixture of valid 
and invalid shares. For these two models, cheating immunity is defined, 
properties of cheating immune secret sharing are investigated and their 
constructions are given. 

Keywords: Secret Sharing, Nonlinear Secret Sharing, Cheating Immu- 
nity 



1 Introduction 

Secret sharing is widely used to produce group-oriented cryptographic algo- 
rithms, systems and protocols. Tompa and Woll [11] showed that Shamir se- 
cret sharing can be subject to cheating by dishonest participants. It is easy to 
see that, in fact, dishonest participants can cheat in any linear secret sharing. 
Cheating prevention has been addressed in literature for conditionally and un- 
conditionally secure secret sharing. For conditionally secure secret sharing, the 
combiner checks validity of submitted shares before attempting to compute the 
secret. Any invalid share (and the cheater) is likely to be detected before the 
secret reconstruction (see [2,1,6]). Publicly verifiable secret sharing (see [3, 5, 9, 7]) 
provide a solution to this problem in the conditionally secure setting. We argue 
that instead of setting an expensive verification infrastructure to detect cheaters, 
it is possible to discourage them from cheating. It is likely that cheaters will be 
discouraged if they are not able to reconstruct the valid secret from the invalid 
one returned by the combiner. Ideally, submission of invalid shares should not 
give any advantage to the cheaters over the honest participants in recovery of 
the valid secret. In this work shares and the secret are from GF{p*). The struc- 
ture of the paper is as follows. First we introduce a basic model of cheating in 
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which, cheaters always submit invalid shares. Cheating immunity is defined and 
constructions of cheating immune secret sharing are given. Further we generalise 
our model for the case where the collaborating cheaters may submit an arbitrary 
mixture of their valid and invalid shares. Again, the notion of strict immunity 
is introduced, its properties are investigated and constructions are shown. 



2 Basic Model of Cheating 

Let GF(j/) denote a finite field with p* elements where p is a prime number and 
t in a positive integer. We write GF(p*)” to denote the vector space of n tuples 
of elements from GF{p*). Then each vector a G GF{p*)^ can be expressed as 
a = (ai,...,a„) where ai,...,a„ G GF{p*). We consider a mapping / from 
GF{p*)"‘ to GF{p*). Usually we write / as f{x) or /(xi, . . . , x„) where x = 
(cci, . . . , Xn) and each Xj G GF{p*). f is also called a function on GF{p*)^. f is 
said to be balanced if f{x) takes each element of GF{p*) precisely times 

while X goes through each vector in GF(jf)'^ once. The Hamming weight of a 
vector a G GF{p*)'^, denoted by HW{a), is the number of nonzero coordinates 
of a. An affine function / on GF{p*)"‘ is a function that takes the form of f{x\, 
. . . , Xn) = aiXi + • • • + QnXn + c, where + denotes the addition in GF(p*), 
aj,c G GF{p*), j = 1,2, ... ,n. Furthermore / is called a linear function if c = 0. 
It is easy to verify that any non-constant affine function is balanced. 

We see secret sharing as a set of distribution rules combined into a single 
table T (see [10]) with entries from GF{p*). We also assume that we are dealing 
with (n, n) threshold scheme where any n participants are able to determine a 
single entry from T which indicates the secret. Our considerations are restricted 
to the case of (n, n) secret sharing. The general case of (n, N) secret sharing 
can be seen as a concatenation of (n, n) secret sharing with a system of N 
“consistent” linear equations. Shares are generated for N participants using the 
linear equations. Any n participants can get a system of linear equations with 
a unique solution which points out the unique row of the table T. Let x = 
{xi, . . . ,Xn) and 5 = (di, . . . , <5„) be two vectors in GF{p*)"‘. Define a vector 
x~l G GF{p*)^, whose j-th coordinate is Xj if 6j yf 0, or 0 if Sj = 0. In addition, 
we define a vector xf G GF{p*)"‘, whose j-th coordinate is 0 if 5j ^ 0, or Xj 
if 5j = 0. Let T = (n, . . . , Tn) and 5 = (<5i, . . . , S„) be two vectors in GF(p*)^. 
We write r ^ d to denote the property that if Tj yf 0 then Sj yf 0. In addition, 
we write r ^ d to denote the property that t F 5 and HW{t) < HW{5). In 
particular, if d' ^ <5 and HW{6') = HW{S) we write 6 N 5'. It is easy to verify 
that M i5' S' F S and S 6' both x~g = x~g, and xf = xJ, hold for 
any x € GF{p*)'", where denotes “if and only if”. We define the following 
notation that will be frequently used in this paper. Let (5 be a nonzero vector in 
GA(p*)”, T F S and u G GF{p*). Set 

Rf{5,T,u) = {xf\f{xf +t)=u} ( 1 ) 

We also simply write Rf{S,T,u) as R{S,t,u) if no confusions occur. 
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Lemma 1. Let d be a nonzero vector in GF{p*)^, t < 5, and u G GF{p*). 
Then for any given function f on GF{p*)^, (i) R{ 6 ,t,u) = R{S',t,u) if S' XI 6 , 
(a) R{S,a'g ,u) = R{S,j'g,u) for any a,j G GF{p*)'' with a'g = (Hi) there 
exists some b G GF{p') such that R{ 6 ,T,b) 0, where 0 denotes the empty set. 

Proof. As (i) and (ii) hold obviously, we only prove (iii). Let 7 be any vec- 
tor in Set f{jf + t) = b. By definition, 7 ^ G Rf{S,T,b) and thus 

R{S,T,b)y^d}. □ 

Given a function / on GF{p'^)'', we introduce the following notations: 

— Let a G GF{p'-)" be the sequence of shares held by the group V={Pi , . . . , P„} 
of n participants and the secret K = f{a). 

— The collection of cheaters is determined by the sequence S = { 61 , 62 , ... , <5„) 
where Pi is a cheater 6 i is nonzero. 

— At the pooling time, the cheaters submit their shares. It is assumed that 

cheaters always submit invalid shares. The honest participants always submit 
their valid shares. We consider the vector a + 6 . From the properties of 
and xf , a + 6 = of + -I- 6 . Thus the combiner obtains a + 6 that splits 

into two parts: aj - the part submitted by honest participants, and a~g + 6 
- the part submitted by cheaters. The combiner returns an invalid secret 
K* = f{a + 5). Note that the cheaters always change their shares. We 
assume that there exists at least one cheater, in other words, 6 is nonzero or 
HW( 6 ) > 0. 

— a)' determines valid shares held by the cheaters. The set R{ 6 ,a'^ , K), or 
{xf\f{xj + a'l) = K}, determines a collection of rows of T with the correct 
secret K and valid shares held by the cheaters. 

— The set R{ 6 , a/ -I- 6 , K*), or {xj\f{xj -I- -I- (5) = K*}, represents the view 

of the cheaters after getting back K* from the combiner. 

The function / is called the defining function as it determines the secret shar- 
ing. The nonzero vector 6 = {Si,. . . , i5„) is called a cheating vector, a is called a 
original vector. The value of ps^a = ff{R{ 6 , -|-(5, K*)DR{S, a~g , K))/ffR{ 6 , -I- 

6 , K*), expresses the probability of cheater success with respect to 6 and a, where 
ffX denotes the number of elements in the set A. As an original vector a is al- 
ways in R{ 6 , Og+S, K*) n R{ 6 , a'g,K), the probability of successful cheating 
always satisfies ps,a > 0. Clearly the number of cheaters is equal to HW{ 6 ). 

Theorem 1. Given a secret sharing scheme with its defining function f on 
GF{p*)''. Let 6 G GF{p*)'' with 0 < HW{ 6 ) < n be a cheating vector and 
a be an original vector in GF{p*)". Lf ps^a < P~* then there exists a vector 
7 G GF{p'Y‘ such that ps^j > p~*. 

Proof. Let f{a) = K and f{a -I- (5) = K*. By definition, R{S,a'g , K) = 
f{xf -k a|) = K} and R{S,aj + 6, K*) = {xf\f{xf -k -k <5) = K*}. 
We partition R{S,a'g + S,K*) into p' parts: R{6,a'g + 6, K*) = U„gcp'(pt)(5„ 
where = R{6, + 6, K*) n R{6, ,u + K). Clearly f(R{S, a'^ + 6, K*) = 

J2ueGF{pt)#Qu- Note that R{S,aj' + S,K*) n R{6,aj,K) = Qq. Therefore 
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PS, a = ^{R{5, aj + 6,K*)r\R{S,aj,K))/^R{S,aj + S,K*) = :^Qq/^R{S, aj + 
S,K*). Since ps,a < P~*, we have #Qo/ij^R{5,a'l + S,K*) < p~*. It follows 
that #Qo < p-*#R{S,aj + 5,K*). Thus we know that E«eGi^(p‘),«#o > 

(1 — + 5,K*). Thus there exists some b G GF{p*) with b^O such 

that #Qb > p~*#R{S,a'g + S,K*). By definition, Qb = {xj\f{xj + + <5) = 

K*, f{xj + a/) = b + K}. Then there exists a vector Pg G Qb and then 
fWs +a| + 'J) = K*, f{Pp +a|) = b+K. Set j = PJ +a|. Thus f(-f+S) = K* 
and /(y) = b + K. Clearly 7 ^ = a~g and 7 ^ = Pj . Next we choose 7 as 
an original vector. Due to R{6,^j' + 6, K*) = {xj \f(xj + 7 / + <5) = K*}, 
R{S,j^,b + K) = {xj\f{xj + 7 /) = b + K} and 7 / = a~g , we know that 
Rls,"f^+S, K*)nR{S,j^ ,b+K) = Qb and pa, = =ff{R{S,j^+6,K*)nR{6,jl,b+ 
K))/#R{5, j+ + S, K*) = #Qb/#R{5, j+ + S, K*) = #Qb/#R{5, a+ + 5, K*) > 
p~K □ 

2.1 fc-Cheating Immune Secret Sharing Scheme 

Given a secret sharing with its defining function / on GF(p*)”. For a fixed 
nonzero S G GF{p*)^, due to Theorem 1, min{pa,Q.|a e GF(p*)"} < p“‘ implies 
that max{pa,a|a G GF(p*)"} > p~*. Therefore it is desirable that ps,a = P~* 
holds for every a G GF{p*)^. A secret sharing is said to be k-cheating if ps,a = 
p~* holds for every 5 G GF(p*)" with 1 < HW{5) < k and every a G GF(jP)'^. 

Theorem 2. Given a secret sharing with its defining function f on GF(p*)^. 
Then this secret sharing is k-cheating immune for any integer I with 1 < 
I < k, any 6 G GF{p*)'^ with FIW{5) = I, any t 5 and any u,v G GF(jP), 
the following conditions hold simultaneously: (i) ffR{S,T,v) = (U) 

ff{R{S, T, v) n R{S, T + 5, u)) = pd«-^-2) , 

Proof. Assume that the secret sharing is /e-cheating immune. Choose i5 as a cheat- 
ing vector and any vector a G GF(p*)'^ as an original vector. Due to Lemma 
1, there exist a,b G GF{p*) such that R{5,ag -I- i5, a) yf 0 and R{6,a'g,b) 0. 

Note that R{6, Og + S, a) can be partitioned into p* parts: R(S, a/ + S, a) = 
UveGF(p*) a)r\R{S, Og , v). Assume that R{8, af -l-i5, a)ni?(i5, a/, u) yf 

0 for some v G GF{p*). Then there exists a vector Pp G R(8,a/ -I- i5, a) C 
R(8,ag',v). Set 7 = Pf + ag~. Since the secret sharing is /c-cheating immune, 
#(^(< 5 . 7 / + i5,a) n i?((5,7/,u))/#i?((I,7/ -k (5,a) = ps,j = p~\ where 7 / = a|. 
Thus ffR{S, a'g -I- <5, a) = p^ff {R{6, a'g -I- <5, a) n R{S, a^, u)) whenever R{S, a'g + 
S,a)nR{5,aj,v) yf 0. It follows that #R{S,aj + S,a) = i2vaGF(pp + 

5, a) n R{S, a'g ,v)). Combing the above two equalities, we know that R{6, a'g + 
S,a) n R{S,a'g,v) yf 0 for every v G GF{p*) and thus ff{R{6,a'g -I- 5, a) C 
R{5,a'g ,v)) = p~^ffR{6,a'g + 6, a) for every v G GF{p*). Replacing a, 8, by 
a + 8, (p — 1)5 respectively, due to the same arguments, we have ff{R{{p — 
1)5, a'l + p8, b) n i?((p — 1)5, -I- 5, u)) = p~*ffR{{p — 1)5, -I- p5, b) for ev- 

ery u G GF{p*). Since the characteristic of the finite field GF{p*) is p, pe = 0 
for every e G GF(jP). It follows that ff{R{{p — 1)5, a,!, 6) C R{{p — 1)5, a/ -I- 
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S,u)) = 1)5, for every u G GF{p*). Using Lemma 1, we ob- 

tain =ff{R{S,a'g ,b) n R^Sjaf + 6,u)) = p~*=ffR{S,a'g,b) for every u € GF{p*). 
Recall that i?(5, -I- 5, o) yf 0 and i?(5, a^,6) yf 0. Therefore we have proved 

that R{5,a'g,v) yf 0 and R{5,al -h 5, u) yf 0 for every u,v G GF{p*). Due to 
the same reasoning, we have ^{R{S,a'f -h 5, rt) n R{5,a^ ,v)) = + 

S,u) and #(i?(5, a^,f) n R{S,ag + S,u)) = p~*^R{S,a'g ,v) for every u,v G 
GF(p*). Comparing the above two equalities, we conclude that #R{5, +6, u) = 

^R{6,a'g ,v) for every u,v G GF{p*). Therefore both ^R{6,af + S,u) and 
#R{S, a'g, v) are constant. Note that J2v&gf(p*) ^R{S, af,v) = We have 

proved that =ffR{S,af,v) = fQj. y g GF{p*). Thus we have proved 

that #(i?(5, ag -1-5, u)ni?(5, a^, ?;)) = pd"-*-2) fQj. every u,v G GF{p*). For any 
T < 5, choose a G GF{p*)^ such that = t. Clearly both conditions (i) and 
(ii) hold. Conversely assume the defining function / satisfies conditions (i) and 
(ii). Choose any 5 G GF{p^)^ with HW{S) = I, where 1 < ^ < fc, as a cheating 
vector and any a as an original vector. Set /(a) = K and /(a -I- 5) = K*. By 
definition, ps^a = #(R(5, Og + 5, K*) n i?(5, a~g , RT))/#i?(5, a~g + 5, K*). Due to 
conditions (i) and (ii), ps^a = P~*- Thus we have proved that the secret sharing 
is fc-cheating immune. □ 



Theorem 3. Given a secret sharing with its defining function f on GF(p*)^. 
Then the following statements are equivalent: (i) this secret sharing is k-cheating 
immune, (ii) for any integer I with 1 < I < k, any 5 G GF{p*)'^ with FtW (5) = I, 
any t F S and any u,v G GF{p*), we have ff{R{5,T,v) C R{5,t + 5,u)) = 
pt(n-i- 2 ) ^ for such I, S, T, u and v mentioned in (ii), the system of equations: 



f{Xg + T + S) =u 
f{xj +t) = v 



has precisely solutions on Xg 



Proof. Clearly (ii) (iii). Due to Theorem 2, (i) (ii). To complete the 

proof, we only need prove that (ii) (i). Assume that (ii) holds. Thus #(i?(5, 
r, v) n R{S,t + 6,u)) = pd"-^-2) fQj. every u,v G GF(jf). Note that R{6,t,v)= 
U„6Gi^(p‘) R{5, T, v) n i?(5, T + S,u) and then #i?(5, r, v) = E«eGF(p‘) (KR{S, U 
?; ) n i?( 5, T -I- 5, u)). This proves that f(R{5,T,v) Using Theorem 

2, we have proved that (i) holds. □ 



2.2 Constructions of fc-Cheating Immune Secret Sharing 

Let /i is a function of degree two on GU(p*)” and 5 = {5i, . . . , 5„) be a nonzero 
vector in GF(p*)”. Set J = {j | 5j yf 0, 1 < j < n}. Let t be any vector in 
GU(p*)" with r ^ 5. It is easy to verify that XjXi is a term in h{x'g -|-t) XjXi 
is a term in h also j,i ^ J xjxi is a term in h{x'g -I-t-I-5). Thus h{x'g -l-r) and 
h{x'g -l-r -I- 5) have the same quadratic terms, and thus h{x'g -|-r-|-5) — h{x'g -l-r) 
must be an affine function. The function h of degree two is said to have the 
property B(k) if for any 5 G GF(p*)"‘ with 1 < F[W{5) < k and any t F S, 
h{x'g -I- r -I- 5) — h{x'g -I- r) is a non-constant affine function. 
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Lemma 2 . Let fi and /2 he two functions on GF{p*)^^ and GF{p*)^^ respec- 
tively. Set f{x) = fi{y) + f2{z) where x = (y,z) where y G GF{p*)^^ and 
z G GF{p*)”'^. Then f is balanced if fi or /2 is balanced, 

The above lemma can be verified directly. The special case of p = 2 and t = 1 
was given in Lemma 12 of [8]. Using Lemma 2, we can prove 

Lemma 3 . Let fi and /2 be two functions of degree two on GF{p*)^^ and 
GF{p*)^^ respectively. Set f{x) = f\{y) + f2{z) where x = (y,z) where y G 
GF{p*^ and z G GF{p*)'^'^ . Then f has the property B(k) if both fi and /2 
have the property B(k). 



Theorem 4. Let k and s be two positive integers with s > fc+1, hj be a balanced 
function of degree two on GF{p^)^^ satisfying the property B(k), j = 1, . . . , s. 
Set n = ni + Us. Define a function f on GF{p^)^ such as f{x) = h\{y) 
+ • • • + hs{z) where x = {y, . . . ,z), hi and hj have disjoint variables if i ^ j. 
Then the secret sharing with the defining function f is k-cheating immune. 



Proof. Let 6 = (6i,...,Sn) G GF{p*)'^ with HW{6) = I, where \ < I < k. 
Let T be any vector in GF{p^)" with t < 5. Consider the system of equations: 

/(a;^ + T + (5) u ^ J = {j I (5- ^ 0 1 < j < n}. Note that ffJ = 

HW{5) = 1. We write J = {ji, . . . ,ji}. Since I < k < s — 1, there exists some 
jo with 1 < jo < s such that each variable of hj„ is not in {xj., , . . . ,Xj, }. For 
the sake of convenience, we assume that jo = s and thus ha remains in both 
equations above. Thus if j G J then j < n — Ug. Write x = (/i, z), where 
p G GF{p^)'^~^‘ and z G GF{p*)^‘>. Define a vector a G GF{p^)'^~^‘ such that 
a = (cri,...,cr„_„J satisfying aj = Sj, j = l,...,n-n^. Thus HW{a) = 
HW{5) = ffJ = I and xf = {pf ,z). We rewrite the above system of equations 
I glib's) + hsiz) = u 

\g2ibj) + hs{z) = v 
Note that XjXi is a term in gi + ha 4=^ XjXi is a term in / and j,i ^ J 4=^ 
XjXi is a term in g 2 + hg. Thus gi + hg and g 2 + hg have the same quadratic 
terms. Therefore g\ — g2 is an affine function. Set g2 — gi = V'- Note that the 

I giibf) + haiz) = u 
\'4’iba)=u-v 

has the property B(k), ip is & non-constant affine function and thus the equation 
ipipf) = u — v has pti^i-ns-i-i) solutions on p~ . For each fixed solution pf 
of the equation ipipf) = u — v, since hg is balanced, g\{pf) hg{z) takes u 
precisely times while z runs through GF{p*Y once. Therefore the above 

system of equations has precisely ,pt{ns-i) _ pt(n-i- 2 ) solutions on 

{pf,z) = xj . Due to Theorem 3, we have proved that the secret sharing with 
the defining function /, defined in the theorem, is /c-cheating immune. □ 



as 



where both gi and g 2 are functions on GFljfy 



above system of equations is equivalent to 



Since each hi 



Lemma 4 . Define a function X2k+i on GF{py^^~^^ by X2fc-i-i(a;i5 • • • ,X2k+i) = 
X1X2 + X 2 X 3 ~\ — • X2kX2k+i+ X2k+iiiii- Then (i) the function X2k+i is balanced, 
(a) X2fc+i satisfies the property B(k). 
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Proof. By a nonsingular linear transform on the variables, the function X 2 fe+i 
can be transformed to the form of t/ij/ 2 + 2 / 22/3 + ' • •+J/ 2 fc-iJ/ 2 fe± 2 / 2 fe+i- i® easy to 
verify that the function h{yi, . . . , y 2 k+i) = J/ffe+i i® balanced. Due to Lemma 2, 
X 2 fc+i is balanced. Next we prove the part (ii) of the lemma. Let S G 
with HW{6) = I, where I < I < k, and t ^ S. Write S = . . . ,S 2 k+i) and 

J = {j \ 7 ^ Oj 1 < J < 2fc + 1}. Clearly, ffj = HW (5) = 1. The index z ^ J is 

said to be associated with j G J if xjXi is a term in X 2 fc+i- Due to the structure 
of X 2 fe+i) each z ^ J is associated at most two elements of J. Since I < k, it is 
easy to verify that there exists some jo such that jo G J, jo + 1 ^ J and jo + 1 
is associated with jo only - Case 1, otherwise there exists some jo such that 
zo G J, zo — 1 ^ J and zo — 1 is associated with zg only - Case 2. Assume Case 1 
occurs. Write r = (ti, . . . , T 2 k+i)- Since jo G J, we know that Sjg yf 0. Therefore 
6jgXjg+i must appear in X 2 fc+i(a;^ + t + J) — X 2 fc+i(a;^ + r). This proves that 
X 2 fc+i has the property B(k) in Case 1. Similarly we can prove that X 2 fc+i has 
the property B(k) in Case 2. □ 

Using Lemmas 2, 3 and 4, we obtain the following: 

Lemma 5. Define a function X 4 fc +2 on G F by X 4 fc+ 2 (a^i, • ■ • ,a^ 4 fc+ 2 ) = 
X 2 fc+i(a;i, . . . ,a; 2 fc+i) + X 2 fc+i(a; 2 fc+ 2 , ■ • ■ ,a;4fc+2)- Then (i) the function Xik +2 is 
balanced, (ii) X 4 fc +2 satisfies the property B(k). 

Xn iu Lemma 4 or 5 has been defined for odd n and even n with n = 2 mod 4. 
Due to Lemma 4, Lemma 5 and Theorem 4, we have the following construction. 



Theorem 5. Let k and s be positive integers with s > /c + 1. Let n\, . . . ,Us = 
4fc + 1 or 4/c + 2, and n = n\ + • • • + Ug. Define a function on GF{p*)'^ such 

as f{x) = Xm{y)-\ h Xn, (z) where x = {y,...,z), y G , . . . , z G 

GF{p*)”‘‘ , each Xn„ has been defined in (j) or (5), and Xni , ■ ■ ■ , Xn, have disjoint 
variables mutually. Then the secret sharing with the defining function f is k- 
cheating immune. 

Note that n = zzi + • • • + rzg, defined in Theorem 5, can be expressed as 
n = {4k + l)r + {4k + 2)q where r > 0 and q> 0 are integers. Since 4/c + 1 and 
4fc+2 are relatively prime, any integer can also be written as {4k + l)r+{4k + 2)q 
where r and q are integers. Furthermore it is easy to verify that any integer n 
with n > {4k + 1)^ can be expressed as n = {4k + l)r + {4k + 2)q where r,q> 0. 
Since n > {4k +1)^, s = r + y>fc+l where s was mentioned in Theorem 5. 
Using Theorem 5, we can construct fc-cheating immune secret sharing with n 
participants where n > {4k + ifi. 

3 Generalised Model of Cheating 

Given a function / on GF{p^)", we introduce the following notations: 

— Let a G GF{p*-)^ be the sequence of shares held by the group 7^={Pi, . . . , P„} 
of n participants and the secret K = f{a). 
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— The collection of cheaters is determined by the sequence S = { 61 , 62 , ■■■ , 6 n) 
where Pi is a cheater if yf 0. 

— At the pooling time, the cheaters submit their shares. This time it is assumed 

that cheaters may submit a mixture of valid and invalid shares. The honest 
participants always submit their valid shares. The collection of cheaters who 
submit invalid shares is determined by the sequence r = (ri, . . . ,r„) where 
Tj = 0 Pj is honest or Pj is a cheater who submits a valid share, in 
other words, Tj yf 0 Pj is a cheater who submits an invalid share. 
Clearly t < 6. We assume that there exists at least one cheater who submits 
invalid share, in other words, we only consider the case that r is nonzero 
or HW{t) > 0. We consider the vector a + t. Due to the properties of 
operations x'g and xj , a + t = + r. The combiner obtains a + r 

that splits into two parts: aj - the part submitted by honest participants 
and a~g + r the part submitted by cheaters. The combiner returns an invalid 
secret K* = f{a + r). 

— R{ 6 ,a'g +t,K*), or {xj\f{xj +a^ +r) = K*}, where determines valid 
shares held by the cheaters, represents the view of the cheater after getting 
back K* from the combiner. 

— The set R{ 6 ,al ,K), or {xj\f{xg + = K}, determines a collection of 

rows of T with the correct secret K and valid shares held by the cheaters. 

In generalised model of cheating, r is used to determine how to cheat while 
6 is only used to determine which participants are dishonest, therefore we can 
define i5 as a (0, l)-vector in GF(p*)”. However, in basic model of cheating, <5 
is not only used to determine which participants are dishonest but also used to 
determine how to cheat, thus 6 has a more general form. 

The function / is called the defining function. The nonzero vector 6 = 
{ 61 , , 6 n) is called a cheating vector, the nonzero vector r ^ i5 is called an active 
cheating vector, a is called a original vector. The value of ps^r.a = ff{R{ 6 ,al + 
T, K*)(^R{ 6 , al ,K))/ffR{ 6 , + t, K*) expresses the probability of cheater suc- 

cess with respect to <5, r and a. As an original vector a is always in R{ 6 , af + 
T, K*)r\R{ 6 , ag ,K), the probability of successful cheating always satisfies P 6 ^r,a > 
0. Clearly the number of cheaters is equal to HW{ 6 ) and the number of active 
cheaters is equal to HW{t). In particular, if t = <5, we regain basic model of 
cheating. ^From now, we consider secret sharing against cheating by generalised 
model of cheating. 

3.1 Strictly fc-Cheating Immune Secret Sharing Scheme 

By using the same arguments as in the proof of Theorem 1, we can state. 

Theorem 6. Given a secret sharing with its defining function f on GF{p*)^. 
Let 5 G GF{p*)^ with 0 < HW{ 6 ) < n be a cheating vector, t F 6 with r yf 0 &e 
an active cheating vector, and a G GF{p*)"‘ be an original vector. If ps.r, a < P~* 
then there exists a vector 7 G GF{p*)'^ such that ps,T,-y > P~* ■ 

For the same reason mentioned in Section 2.1, we introduce the concept of k- 
cheating immune secret sharing scheme. Given a secret sharing with its defining 
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function / on GF{p^)". Let k be an integer with 1 < k < n — 1. The secret 
sharing is said to be strictly k-cheating immune if the probability of successful 
cheating satisfies ps,r,a = for every S S GF{p*)^ and any t < 5 with 1 < 
HW{t) < FIW{5) < k and every a £ GF{p*)^. The following is a relationship 
between the two models of cheating immune secret sharing. 

Theorem 7. Given a secret sharing with its defining function f on GF{p*)^. 
Then the secret sharing is strictly k-cheating immune for any integer r with 
0 < r < k—1, any subset {ji, . . . ,jr} of {1, , n} and any ai, . . . , Oj. G GF{p*), 
f{xi, . . . ,Xn)\xj^=ai,...,xj^=ar> OS a funcUon on GF{p*)^~'^ with the variables 
Xij , . . . , where {ii, . . . , z„_r} U {jn ■ • • , Jr} = is the defining 

function on GF{p*)^~'^ of a {k — r)-cheating immune secret sharing. 

Proof. Assume that the secret sharing is strictly fc-cheating immune. Let g he a, 
function on GF{p*)'^-^ given hy g = f{xi, . . . ,Xn)\xj.^=au...,xj^=ar- Comparing 
basic model of cheating with generalised model of cheating, since / is the defining 
function on of a strictly fc-cheating immune secret sharing in generalised 

model of cheating, we know that g is the defining function on GF{p*)"‘~'^ of a 
(fc — r)-cheating immune secret sharing against basic model of cheating. We have 
proved the necessity. By definition, we can invert the above reasoning and prove 
the sufficiency. □ 

3.2 Construction of Strictly fc-Cheating Immune Secret Sharing 

Lemma 6. Let a function f of degree two on GF{p*)”‘ do not have a nonzero 
constant term, in other words, /(O, ... ,0) =0, where 0 denotes the zero element 
in GF{p*). Then f is balanced there exists a nonzero vector a G GF{p*)'^ 
such that f{x + a) — f{x) is constant and f{a) 0. 

Lemma 6 with p = 2 and t = 1 is a special case of the lemma in [4]. Lemma 
6 can be proved using the same arguments as those used for the proof of the 
lemma in [4]. 

Lemma 7. Let Xn,p be a function on GF{p*)"‘ (n > 2p^ p) defined by 

Xn,p{xi, . . . , x„) = + XjX[j+2]^„y H f 

\i](n) denotes the integer j such that 1 < j < n and j = i mod n (we replace i 
[*](n) * is possibly greater than n). Then (i) Xn,p is balanced, (ii) for any 

r with 0 < r < p — 1, any subset {ji, . . . ,jr} of {1, ... ,n} and any a\, . . . ,Qr G 
GF{p*), Xn,p(xi, . . . ,Xn)\xj^=ai,...,xj^=ar, a function on GF{p*Y~'^ with the 
variables Xi^,. . . where {zi, . . . ,in-r}hi{ji, . . . ,jV| = {1, • ■ • ,n}, satisfies 

the property B(p). 

Proof. From the construction of X„,p, for any j with 1 < j < zz, there precisely 
exist 2p quadratic terms of XjXy^ij^.^.^ and XjXy_i-^^^.^ containing Xj where 
z = 1, ... ,p. It is easy to verify that Xn,p has precisely np quadratic terms, in ad- 
dition, a linear term xi. Set g = Xn,p — x\ or g{x \, . . . , x„) = X)j=i(^i^b+i](„) + 
H — ' ~h XjX[jj,.p\^^^.^), and a = (1, . . . , 1) where 1 denotes the identity in 
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GF{p*). Recall that the characteristic of the finite field GF{p^) is p. Then pe = 0 
holds for any element e G GF{p*). Thus it is easy to verify that g{x+a)—g{x) = 0 
and g{a) = 0. Therefore \n,p{x + a) — \n,p{x) = 1 and Xn,p{o') = 1. Due to 
Lemma 6, we know that Xn,p is balanced. Next we prove the part (ii) of the 
lemma. Write , . . . , = A„,p(xi, ■ ■ ■ ,Xn)\xj^=ai,...,xj^=ar- Set x^^ = 
yi, ■ ■ ■ ,Xi^_^ = Pn-r and y = (jji, . . . ,yn-r)- Then we consider the function 
h{yi , . . . ,yn-r)- Recall that for each j, 1 < j < n, Xj appears precisely in 2p 
quadratic terms of Xn,p'- and XjX[j-i]^^^ where i = l,...,p. Since 

r < p — 1, it is easy to see that for each j, 1 < j < n — r, there at least two 
quadratic terms of h. Let S G GF{p*)"‘~^ be a cheating vector with HW{S) = I, 
where 1 < ^ < p, and r ^ <5 be an active cheating vector. Write S = (5i, . . . , Sn-r) 
and J = {j \ 6j 0, ^ < j < n — r}. Clearly = FIW{S) = 1. We do not 
need to consider any term yjpi in h with j, i ^ J as it does not appear in 
h{yt + T + (5) — h{y'^ + t). Since n — r > 2p^ + 1, there exist some integers 
jo and m such that m > 2p + 1, [jo + m](„_r) G J and {[jo + l](„_r), [jo + 
2](n-r)) ■ • ■ ) [jo + w— J = 0. Due to the structures of X„^p and h, there 

exists some [io](n-r) G {[jo + l](n-r), [jo + 2](„_r), . . . , [jo + m - l](„-r)} such 
that 2/joJ/[io](n-r) ^ term in h but y[jo+m]^„_^^ylio]^„-r) ^ term in h. Fur- 

thermore, due to the structures of A„_p and h, yjy[io](n-r) cannot be a term in h 
for any j & J with j yf jo. Since [io](n-r) ^ d, as the discussion before, any term 
yjy[io](n-r) j ^ J does not appear in h{y'g -I-t-I-J) — h{y'g -l-r). Since jo ^ J, 
we know that Sjg yf 0. Therefore ^joy[io](„-r) ^tppears in h(y^ +T+S) — h(y^ +"^)- 
This proves that h has the property B(p). □ 

Based on Theorem 7 and Lemma 7, we have the following construction. 

Theorem 8. Let GF{p^) he a finite field, s be an integer with s > 2p. Let 
ni, . . . ,Us = 2p^ -I- p or 2p^ -|- p -I- 1, and n = ni + ■ ■ ■ + Us- Define a function 
on GF{p*Y such as f{x) = Xn^^p{y) -I- • • • -k Xn„,p{z) where x = (y,...,z), 
y G GF{p*)'^^, ...,z G GF{p*)'^‘, each X„^^p has been defined in Lemma 1 and 
Xm,p, • ■ • 7 Xnj,p have disjoint variables if i j. Then the secret sharing with the 
defining function f is strictly p-cheating immune. 

Proof. Let r be an integer with 0 < r < p — 1 and {ji , . . . ,jfi\ be a subset 
of {!,... ,n}. Since r < p — 1, there exist at least s — r > p + 1 functions 
among A„^_p, . . . , Xn„,p, each of whose variables is not included in {xj„ , . ■ ■ , Xj,.}. 
Without loss of generality, we assume that each variable of Xn,.^i,p, . ■ . , Xn^,p 
is not included in {xj.^ , ■ ■ ■ , Therefore for any ai, . . . , G GF{p*), f can 

be expressed as f\xj^=ai,...,xj,.=ar. = 9 + A„,+i,p -k + k Xn,,p where 

9 = (A„i,p H k Xn,.,p)\xy,^=ai,...,xy,.=a,.- Due to Lemmas 7, 

Xnj,p\xj,^=ai,...,xj^=ar has the property B(p), j = 1, . . . ,r and thus from Lemma 
3, g has the property B(p) and thus f\xjj^=ai,...,xj.^=ar has the property B(p). 
Since each Xny,p is balanced, due to Lemma 2, f\xj^=ai,...,xj.,.=ar is balanced. 

Applying Theorem 4 to f\xy^=ai,...,xj^=ar =9 + Xn,+i,p + A„,.+ 2 ,p H k A„^,p, 

we conclude the secret sharing with the defining function f\xy.^=ai,...,Xj,.=ar is 
p-cheating immune. Finally, using Theorem 7, we know that the secret sharing 
with the defining function / is strictly p-cheating immune. □ 
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By using the same arguments as in the last paragraph of Section 2.2, it 
is easy to verify that any integer n > {2p^ + can be expressed as n = 
r(2p^ +p) + q{2p^ + p + 1) where r, g > 0. Since n > (2p^ + p)^, s = r + g > 2p 
where s was mentioned in Theorem 7. Using Theorem 7, we can construct p- 
cheating immune secret sharing with n participants where n > (2p^ +p)^- 

4 Conclusions and Remarks 

We have considered secret sharing over finite field and its resistance against 
cheating by a group of k dishonest participants. We have proved that the proba- 
bility of successful cheating is always higher than p“*. The secret scheme is said 
to be /c-cheating immune if the probability of successful cheating is p“* for any 
group of k or less participants. We have characterised fc-cheating immune secret 
sharing scheme by examining its defining function. This characterisation enables 
us to construct /c-cheating immune secret sharing scheme. Being more precise, 
we have studied two cases. In the first case, the group of cheaters always submit 
invalid shares. While in the second case, the group is more flexible as they col- 
lectively decide which of their shares should be modified and which should be 
submitted in their original form. 
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Abstract. Let E be an elliptic curve dehned over the rationals. Koblitz 
conjectured that the number of primes p < x such that the number of 
points |£'(Fp)| on the curve over the finite field of p elements has prime 
order is asymptotic to 

r ^ 

® (log a:) 2 

for some constant Ce- We consider curves without complex multiplica- 
tion. Assuming the GRH (that is, the Riemann Hypothesis for Dedekind 
zeta functions) we prove that for 



(log®)2 

primes p < x, the group order |A(Fp)| has at most 16 prime divisors. We 
also show (again, assuming the GRH) that for a random prime p, the 
group order |A(Fp)| has loglogp prime divisors. 



1 Introduction 

In cryptographic applications, one works with elliptic curves E over a finite field 
Fg with the property that the group order |A(Fg)| is prime or nearly prime. 

Let E be an elliptic curve over Q. Koblitz [3] considers the problem of es- 
timating the number of primes p < x so that |if(Fp)| is of prime order. He 
conjectured that this number is 

r ^ 

""{logxr 

where is an explicit constant depending only on E. Let us set 

iVp=|A(Fp)|. 

In this paper, we shall prove the following results. 
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Theorem 1 Assume the GRH (i.e. the Riemann Hypothesis for all Dedekind 
zeta functions of number fields). Let E/Q be an elliptic curve without complex 
multiplication. Then there are 



(log x)2 

primes p < x so that Np = |_E(Fp)| has at most 16 prime factors (counting 
multiplicity) . 

We also show that for a random prime p, the group order should be divisible 
by about log log p primes. We make this precise in the following theorem. 

Theorem 2 Assume the GRH. Let e > 0. Except possibly for 

0(7r(a;)/(logloga;)2'^) 

of the primes p < x, the number v{Np) of prime divisors of Np satisfies 
log log p — (log log p) 3+*^ < i>{Np) < loglogp+ (loglogp)5+^ 

We remark that the question of the primality of the number of points on an 
elliptic curve has been studied by other authors. In particular, Galbraith and 
Mckee [2] fix a prime p and consider elliptic curves over the field Fp. They make 
a precise conjecture about the probability that such an elliptic curve will have 
a prime number of points. 

2 An Application of the Chebotarev Density Theorem 

Given an elliptic curve E/Q and a prime I, we can consider the Galois represen- 
tation 

PI : Gal{Q/Q) ^ GL^i^i) 

where Z; denotes the ?-adic integers and Q is an algebraic closure of Q. This 
representation comes from the action of the Galois group on the Tate module 

Ti{E)=\^E[E]^Zi(Bl^i. 

If E does not have complex multiplication, then a result of Serre [6] states that 
for I 1, Pi is surjective. Multiplying together these representations for different 
l\d, we get a representation 

Pa : Gal{Q/Q) ^ GL^ifL/d). 

If N is the conductor of if, this representation is unramified outside dN . More- 
over, if p I the characteristic polynomial of pd (mod d) is 

— (ttp (mod d))T + (p (mod d))T. 
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Using this information, and assuming the GRH, one can use the Chebotarev 
density theorem (in the effective form proved by Lagarias and Odlyzko [4]) to 
deduce that for some S{d), 

tte(x, d) = ( ) Li a; + 0(d^x^ logdNx). 

\d{d)J 

For d = I prime and for I large, l/S{l) is the density of elements g in GL 2 {h/l) 
with the property that tr g = det g + I mod 1. Hence 

5{l) = l + 0{l). 

Moreover, <5 is a multiplicative function. 

3 Selberg’s Sieve Method 

We follow the notation of Bombieri [1]. The general set up is as follows: Let / 
be a non zero multiplicative function / : N ^ Z from the natural numbers to 
the ring of integers. Let 

P = {p : p < x} 

be the set of primes up to x. For an integer d, let us set 
Pd = {p & P ■ f{p) = 0 mod d}. 

Suppose that 

where <5 is a multiplicative function and Rd is the remainder. Set 

(5i = 6 * fj, 

where * denotes Dirichlet convolution. Let be a sequence of real numbers 
with Aj/ = 0 for v sufficiently large or if v is not squarefree. Set 

Consider the quantity 

^ = E f E ■ w 

peP \d\fip) j \i^|/(p) / 

Then, by [1], Theoreme 18, we have 
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where 



E 

m d 

(m,d) = l 



^^(m) ad 
Si{m) S{d) 



r\d 



We take for / the function defined by f{p) = Np. Thus, 



Rd < log dNx. 



(3) 



Let y,z > 1 be parameters to be chosen later. We will choose the ad to be 
bounded and = 0 if d > y. We will choose the X^, so that |Aj,| < 1, and Ai, = 0 
if v is not squarefree or if > 2 :. 

By using (3), we see that the error term in (2) is 

<C ^ d{m)^m^x^^'^{logmNx), 

m<yz^ 

where d(m) denotes the number of positive divisors of m. This sum is easily seen 
to be 



provided that {yz^) <C x^/^~’^. 

Thus (2) becomes 

S =\P\(S + 0{x^-'^). (4) 

Now we apply this with two choices of the {ad} and {Cr}- Suppose that 



Od 



1 if d = 1, 

0 if d > 1, 



and 



Then 



Hence, 



Cr 



Cl if r < z is squarefree, 
0 otherwise. 



®=E 

m<.z 



di(m) 




iy<z 



Si{m) j 



Li a: + 0(a;^ *^). 



On the other hand, if we choose 



Oid = 



1 if d is a prime < y, 
0 otherwise, 
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and the same choice of {Cr} as above, then 



m<z Ky 
l\m 



1 

Si(m) S{1) 






r\l 

r<z jm 



= E 



Si{m) 



,E 

^<i<v / 



By easy estimates, we deduce that assuming the GRH, 



E E«^ EA: 



p<x \d\Np / \u\N 
d<y v< 

provided yz^ < 

Now we choose 






y = 

2 = Z^/32-. 



E 2-E 



cHE 



y?{m) 






Now as X — > oo. 



l-log(f^)^l-log(2 + e)>0. 
log 2 



Hence, for many primes p, we have 



2 - E > 0- 



Now, ad represents the number of prime divisors of Np which are less than 



y. This means that for many primes, Np has at most one prime < y. But as 
^ P) it has at most 15 prime divisors > y. Hence, in all, Np has at most 16 
prime divisors. 

How many such primes p have we identified? By Mobius inversion, we have 
the formula 
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With our choice of the we see that 

iy\Np iy<z r<f ^ 

v<.z 

<C log z <C log X. 

Hence the number of primes p < x with (6) holding 



> 



(loga:)2' 



This proves Theorem 1. 



Remark. We can refine this slightly. For any a < ^ + e, choose 

{ 2 if c? < a;“ is prime, 

1 if a;“ < c? < y is prime, 

0 otherwise. 

Then the above argument allows us to conclude that for ^ (ioga ;)2 primes p < x, 
we have Np composed of < 16 primes all of which are > 



4 The Number of Prime Divisors of Np 

Let F : K. ^ K. be a monotone increasing function with F{x) = 0(loga;) and 
F{x) > z. Let 

1 

y = yix) = x . 

Define as before 

tte{x., d) = ^{p < X : Np = 0 mod d}. 

Set Vu{n) to be the number of distinct prime divisors of n which are less than 
u. Suppose that 

^ |7TE(x,d) - j^Lix\ = 0(7r(a;)). 

d<v ' 

Then by a result of [5], 

'^{vu{Np) - loglogp)^ < 7r(a;){loglog'u + F(x)2}. 

p^x 

In particular, if we assume the GRH, we may choose F bounded. Then, choosing 
u = X, we get 

'^{iy{Np) - log log < 7r(x)logloga:. 
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This means that for any e > 0, 

\iy{Np) - loglogpl < (loglogp)3+'^ 
holds except possibly for 



primes p < x. 

This proves Theorem 2 



< 



r(x) 



(log log a;) ' 



5 Numerical Results 

The curves used here are y'^ + y = — x (Koblitz’s curve A [3]) and y^ + y = 

x^ + x'^ (Koblitz’s curve B [3]) over Q. 

In the following tables, P denotes the number of primes p < x for which 
|if(Fp)| is prime and Pig denotes the number for which |if(Fp)| has at most 16 
prime divisors. We compare both numbers with sum = 'Yhp<x ^ (logx)^ ■ 
Notice that in both cases, the ratio of P/sum is growing. The reason for this 
is that as shown in Theorem 2, for a general prime p, |if(Fp)| has loglogp prime 



Curve A 



X 


p 


Pl6 


P/sum 


Pie/sum 


2000 


27 


295 


0.5251573439157927 


5.737830239079958 


10000 


72 


1217 


0.4515210283966590 


7.631959604982417 


20000 


119 


2246 


0.4453847927662430 


8.508378040511230 


30000 


177 


3225 


0.4857878136075451 


8.916431258897687 


500000 


1763 


41475 


0.5040228786621391 


11.85725972348963 


1000000 


3147 


78413 


0.5047240217277622 


12.57608030369845 


50000000 


91564 


3000724 


0.5057166880846511 


16.57328429444024 


100000000 


168513 


5760864 


0.5053138649370887 


17.27489542775297 



Curve B 



X 


p 


Pl6 


P/sum 


Pie/sum 


50000 


282 


5108 


0.5195410982580403 


9.410694786886773 


100000 


504 


9557 


0.5356395779869580 


10.15695921988364 


1000000 


3144 


78414 


0.5042421014445694 


12.57622141942572 


5000000 


12391 


348337 


0.5062077219244572 


14.23056082898875 


70000000 


123646 


4117486 


0.5079079824044065 


16.91364060979239 


90000000 


154100 


5216302 


0.5071762319513201 


17.16797140220723 


100000000 


168867 


5760781 


0.5063753774849848 


17.27464604382933 
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divisors. For p < e® , loglogp < 16. Note that e'^ > Hence Pie 

includes almost all primes in the range of our computations! 

In the next table, the ratio is calculated with respect to a new sum function 

log log p 



for the second curve newsum = 



p^x 



logp 



Curve B 



X 


Pl6 


Pi6 /newsum 


1500000 


114055 


5.077703705381576486359745075 


4500000 


315780 


5.342066297428407961234328273 


7500000 


508055 


5.463691349810055780139294703 


10000000 


664338 


5.531694315435302779590602582 


15000000 


970418 


5.627286090928976577998808347 


20000000 


1270273 


5.694755271679060610517382234 


50000000 


3000632 


5.908162470684291146461777003 


60000000 


3561564 


5.950331982556687066367401342 


70000000 


4117486 


5.985957408602426528340496046 


80000000 


4668771 


6.016740549442994361295284568 


90000000 


5216302 


6.043845873790258861760026661 


100000000 


5760781 


6.068092257839014532708832806 


105000000 


6032009 


6.079312197063872087216809876 
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Abstract. We present an algorithm for generating elliptic curves of 
prime order over Optimal Extension Fields suitable for use in cryptog- 
raphy. The algorithm is based on the theory of Complex Multiplication. 
Furthermore, we demonstrate the efficiency of the algorithm in practice 
by giving practical running times. In addition, we present statistics on 
the number of cryptographically strong elliptic curves of prime order for 
Optimal Extension Fields of cardinality (2®^ -|- c)® with c < 0. We con- 
clude that there are sufficiently many curves in this case. 

Keywords; complex multiplication, cryptography, elliptic curve. Opti- 
mal Extension Field 



1 Introduction 

Since their proposal for use in cryptography about 15 years ago ([Kob87], [Mil86]), 
elliptic curve cryptography has gained a lot of attention in the cryptographic 
community due to their short key lengths. However, as of today, only two families 
of finite fields have found consideration in practice: Finite fields of characteristic 

2 and finite prime fields of large characteristic. Algorithms to find elliptic curves 
for use in cryptography are well known for both families of fields. 

Recently, a new type of finite fields was proposed for use in practice: Optimal 
Extension Fields ([BP98], [BPOl]). Optimal Extension Fields consider the hard- 
ware in use (i.e. the word size of the processor) and thus yield an efficient way 
of implementing finite field arithmetic, especially the inversion. As the inversion 
is the most time-consuming step for adding points on elliptic curves over finite 
fields, Optimal Extension Fields have the potential to be considered as a third 
family of finite fields for elliptic curve cryptography. 

In order to decide whether an elliptic curve is suitable for use in cryptography, 
we have to know its group order. However, when choosing random curves and 
using the efficient point counting algorithms, we have to choose a couple of curves 
before finding a suitable one. This turns out to be rather slow. Hence, we make 
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use of the Complex Multiplication Theory to find suitable elliptic curves over 
Optimal Extension Fields. Due to security reasons we restrict to elliptic curves 
of prime order. We will develop a closed algorithm solving this task. 

Processors of word size 32-bit play a crucial role in practice. Hence, we will 
show that our algorithm is very fast in this case. Let p be a 32-bit prime with 

232 

— p< 2^®. Our algorithm finds a cryptographically strong elliptic curve of 
prime order over an Optimal Extension Field IFpS in about 22 seconds using 
an ordinary PC. In addition, we present data on the number of suitable elliptic 
curves over Optimal Extension Fields of the form F^a. We conclude that, for 
fields of this form, their quantity is sufficiently large. 

The paper is organized as follows: In the next section we review the basic 
definitions of Optimal Extension Fields and elliptic curves suitable for use in 
cryptography. We present our generating algorithm in Sect. 3. Finally, in Sect. 4 
we present sample running times of our implementation and discuss statistics on 
the number of elliptic curves of prime order over fields of the form F^a with a 
32-bit prime p. 

2 Elliptic Curves over Optimal Extension Fields 

We review the definition and some properties of Optimal Extension Fields and 
elliptic curves. Furthermore, we list the conditions on elliptic curves suitable for 
use in cryptography. Let us first turn to Optimal Extension Fields. 

Definition 1. Let c he a rational integer, and let p = 2" -|- c he prime with 
n G N. Furthermore, assume |c| < and let m G IM. // there is a u> G Fp 

such that the hinomial X"^ — uj is irreducible in Fp[X], then Fpm is called an 
Optimal Extension Field. 

The basic idea of introducing Optimal Extension Fields is to adapt the arith- 
metic over finite extension fields to the hardware in use (see [BP98], [BPOl]). 
For instance, when implementing an elliptic curve cryptosystem on a 32-bit pro- 
cessor, one may choose n = 32 and c < 0 such that 2^^ -|- c is prime. Hence, the 
arithmetic in Fp fits in a word size. Furthermore, let uj be as in definition 1. We 
represent Fpm as the factor ring Fp[Jf]/(Jf™ — w) with respect to the polynomial 
basis {1, W, . . . , Hence, in Fpm the identity X™ = ui holds, yielding 

an easy reduction of X* for k > m. 

Bailey and Paar [BPOl] distinguish two special types of Optimal Extension 
Fields: First, if jcj = 1, the according Optimal Extension Field is called a Type I 
OEF. Second, if X™ — 2 is irreducible in Fp[X], they name the according field 
Type II OEF. In this paper we do not make use of Type I OEFs. 

In order to decide whether an irreducible binomial of degree m exists in 
Fp[X] we make use of the following theorem, which we prove in [BaiOlbj. 

Theorem 1. Let p and m he rational primes. For to G Fp the following prop- 
erties are equivalent: 

1. The hinomial X™ — to is irreducihle in Fp[Xj. 
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2. m divides the order e of to in Fp , but not . 

3. We have m\p — 1 and ^ 1 mod p. 

Using the property that F^ is a cyclic group, the following corollary is an 
easy consequence of property 3 in theorem 1. 

Corollary 1. Let p and m be primes. There exists an irreducible binomial of 
degree m in Fp[X] if and only if m \ p — 1. 

Next, we review a few basic facts concerning elliptic curves over finite fields 
and define cryptographically strong ones. Let p be a prime number, p > 3, and let 
q = p™ with m G IN. An elliptic curve over the field F, is a pair E = (a, b) G F^ 
with 4a^ + 27b^ yf 0. A point on if is a solution (x, y) € F^ oi y"^ = + ax + b 

or the point at infinity O obtained by considering the projective closure of this 
equation. The set of points on E over F^ is denoted by A(Fg). It turns out that 
if(Fq) carries a group structure with the point at infinity acting as the identity 
element. 

We call the elliptic curve E cryptographically strong if it satisfies the following 
conditions: We have |if(Fq)| = k-r with a prime r > 2^^® and a positive integer 
fc < 4. The first requirement avoids generic attacks as the p-algorithm of Pollard, 
while the second one is due to efficiency reasons. If m > 2 and p > 11 this 
condition implies that E is not defined over Fp. In addition, in order to avoid 
anomalous curves, the primes r and p are different. Finally, the order of q in the 
multiplicative group F,^ is at least io^g°°g) ! hence, we exclude curves which are 
amenable to the attack of Menezes, Okamoto, and Vanstone. An explanation of 
either attack may be found in [BSS99]. 

In addition, the German Information Security Agency (GISA) requires the 
class number of the maximal order containing the endomorphism ring of E to 
be at least 200. Although there is no consensus on this requirement in the com- 
munity, we take it into account for the following two reasons: First, in order 
to provide curves for digital signatures being in conformance with the German 
Digital Signature Act, we have to respect the requirements of the GISA. Second, 
we want to show that our algorithm is not restricted to discriminants of small 
class numbers. However, our algorithm is applicable to the case of small class 
numbers either. 

In this paper we focus on Optimal Extension Fields of the form p® with a 
32-bit prime p. The reason for the choice m = 5 is twofold. Due to a theorem 
of Hasse we have |A(Fg)| « q. Hence, in order to generate an elliptic curve of 
prime order r with r « 2^®° we have to ensure to > 5. Second, we restrict to 
extension fields of prime degree as some of our sub-algorithms of section 3 are 
very efficient in this case. However, the security implications of the Weil-descent 
([GHSOl]) on these curves are not yet clear. Nevertheless, the generalization to 
composite to is easy. 

We are not aware of any further efficient algorithm to find an elliptic curve 
over an Optimal Extension Field of characteristic > 5 respecting all these re- 
quirements. Although the Schoof-Elkies-Atkin (SEA) algorithm is polynomial 
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time for arbitrary finite fields and efficiently implemented for Optimal Exten- 
sion Fields, it turns out to be much slower in practice. The main reason is that 
we have to choose a number of curves and determine their cardinalities before 
finding a suitable one. Furthermore, the very efficient Satoh-algorithm for fields 
of characteristic 2 ([FGHOl]) does not apply to Optimal Extension Fields. 

3 The Generating Algorithm 

Our generating algorithm oef Curve, presented at the end of this section, makes 
use of the theory of Complex Multiplication. A good reference of this theory in 
the scope of elliptic curve cryptography may be found in [AM93], [LZ94], and 
[BBOO]. We sketch the most important theory used in our algorithm. A central 
term is that of an imaginary quadratic discriminant, which is a negative integer 
A congruent 0 or 1 modulo 4. Our aim is to find a prime power p™ and an 
elliptic curve defined over a field F^m , but not over Fp. In order to do this we 
first have to find a prime power p™ and a discriminant A, such that the norm 
equation 

- Z\p2 = 4p™ (1) 

has a solution {t,y) G 7L^ , while the equation — Ay'"^ = 4p does not have a 
solution {t' , y') G S. If this is true, using Complex Multiplication, we find elliptic 
curves Ei g and E 2 ^q over F^m, both not defined over Fp, with 

\E,JFj,r.)\=p^ + l-t, \E 2 ,g{Fprr.)\=p^+l + t (2) 

analogously as explained in [BBOO]. 

Let El G Z[X] be the the minimal polynomial of j ( ) where j denotes 
the well-known modular function j. Modulo p the polynomial H splits into irre- 
ducible factors of degree m, while it splits in Fpm [A] into pairwise distinct linear 
factors. Let jg G Fpm be a zero of H mod p. If A < —4, we have jg ^ {0; 1728}, 
and for any non-square Sg G Fpm we set 

~ 2^728 — j ’ “ {^Kg,2Kq) . (3) 

Then we have 

{El,qj ^2,q} = {(o.g, bg), (OgS^, ^gSg)}. (4) 

After this construction it is not known which of the curves is Ei_g and which is 
However, by choosing points on each curve and testing whether their order 
is a divisor of p™ -I- 1 -ft or p"* -|- 1 — t, the curves Ei^g and can be identified. 

Thus we can decide whether one of the curves Ei,g or E 2 ^q is cryptographically 
strong before we actually construct those curves. We only need to know the 
primes p and m and the norm representation of p™ as in (1). From (2) we 
deduce the orders of Ei g and E 2 ,q, and we can check whether one of the curves 
respects all conditions from the previous section. 
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Input of our algorithm oef Curve(n, m, / iq) is a positive integer n (e.g. the 
word size of the processor in use), the degree m of the Optimal Extension Field 
over its prime field, and an integer ho > 200. The algorithm returns a prime 
p < 2" such that IFpm is an Optimal Extension Field, an irreducible binomial 
— w in Fp[X], and an elliptic curve E of prime order r defined over F^m 
respecting all requirements of Sect. 2. Furthermore, the endomorphism ring of E 
is a maximal order of class number at least h^. In addition, oefCurve returns a 
generating point of F(Fpm). In order to get reasonable results we have to ensure 
n ■ m > 160 and that m is prime. 

We next explain our main algorithm oefCurve. It splits into several sub- 
algorithms, which we discuss in what follows. The first sub-algorithm 
f indField(n, m, /lo) determines an Optimal Extension Field of cardinality p™ 
and a prime r being the group order of a cryptographically strong elliptic curve 
defined over Fpm \ Fp. To be more precise, f indField computes among other 
things a prime p of the form 2" -Fc with c < 0 and |c| < -s/S” such that m | p— 1. 
Although it is not clear if such a prime p exists for a random tuple (n,m), the 
asymptotic density of such primes for growing n is due to the Prime 

Number Theorem and a theorem of Dirichlet on the number of primes in arith- 
metic progressions. Hence, for example, if n = 32 and m = 5 (i.e. the case we 
are most interested in), there should be about 41 q|( 232 ) = ’^39 primes congruent 
1 modulo 5 in the interval [2^^ — 2^®, 2^^]. However, the exact number is 733. 
Thus we may assume, that an appropriate prime p exists. 

In order to be successful, findField has to solve the norm equation (1) 
for some A and p. We explain how to find appropriate A and p. A necessary 
condition on A for E to be of prime order is Z\ = 5 mod 8. We assume that 
a sufficiently large database of fundamental imaginary quadratic discriminants 
Z\ = 5 mod 8 of class number at least 200 is to our disposal. In our tests we make 
use of a database containing all such fundamental discriminants A > -6000000. 
Our function nextDiscriminant(/i, Z\) returns the maximal fundamental dis- 
criminant A' = 5 mod 8 of class number h with A' < A. 

The algorithm is exponential in log{h) In addition, it depends on the bit- 
length of A. Thus we want h and |Z\| to be as small as possible. A necessary 
condition, due to class field theory, we have to take care of is m | h{A). Hence 
we set h = min{/i' G IM : /i' > ho,m \ h'}. Let A = 5 mod 8 be maximal of 
class number h. We set p = max{p' G Z : p' < 2”,p' = 1 mod m,p' prime}. We 
determine whether the norm equation — Ay^ = 4p has a solution {t, y) G 'S? 
by using an algorithm due to Cornacchia ([Coh95], p. 34-36): cornacchia(Z\,p) 
gets an imaginary quadratic discriminant A and a prime p as input and re- 
turns t yf 0 if the according norm equation has an integer solution, and 0 oth- 
erwise. If — Ay'^ = 4p has no integer solution, we turn to the norm equa- 
tion — Ay'^ = 4p™. In order to decide whether this equation has an inte- 
ger solution or not, we extended the algorithm of Cornacchia to prime powers: 
cornacchiaPrimePower(Z\,p’”) gets an imaginary quadratic discriminant A and 
a prime power p™ as input. It returns t yf 0 if the norm equation (I) has an 
integer solution, and 0 otherwise. 
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If we have found a prime p with an integer solution of the norm equation for 
p™, but not for p, we make use of (2) to check for the conditions of section 2. 
Analogously to [BBOO] this task is performed by the function isStrong(p’”, N); 
it returns the prime r if TV turns out to be the order of a cryptographically 
strong elliptic curve over IF^m , and 0 otherwise. This yields our algorithm 
f indField(n, m, ho). 



f indField(n, m, ho) 

Input: A positive integer n, a prime m, such that nm > 160, and an integer ho > 200. 
Output: A prime p of bit-length n, such that F^m is an Optimal Extension Field, if 
such a p exists. 

A prime r and a discriminant A, such that r is the cardinality of a cryptographically 
strong elliptic curve defined over F^m \ Fp having a maximal order of discriminant 
A as endomorphism ring with h(A) > ho- 

p <— max{p' G "Z : p < 2",p' = 1 mod m,p' prime}; 
if 2” — p > then 

output(”No OEF found. Terminating.”); terminate; 
h ^ min{/i' £ IN : /i' > ho,m \ h'}; 
while true do 

A <— nextDiscriminant(h, 0); 
while A > —6000000 do 

p ^ max{p' £ IN : p' < 2",p' = 1 mod m,p' prime}; 
while 2" — p < \/^ do 
t «— cornacchia(A,p); 
if t = 0 then 

t ^ cornacchiaPrimePower(A,p™); 
if t yf 0 then 

if (r ^ isStrong(p™,p™ + 1 — t)) ^ 0 AND r = p”* -|- 1 — t then 
retnrn(p, r, A); 

else if (r ^ isStrong(p"*,p™ -P 1 -|- 1)) yf 0 AND r = p™ -p 1 -p t then 
retnrn(p, r, A); 

p ^ max{p' £ Z : p' < p,p' = 1 mod m,p' prime}; 

A ^ nextDiscriminant(/i, A); 
h ^ h + m; 



Once knowing the cardinality p™ of an Optimal Extension Field, we turn to 
the computation of an irreducible binomial A™ — w in Fp[A]. Our algorithm 
f indBinomial(p, m) is a straightforward consequence of theorem 1 and corol- 
lary 1. 

We remark that if A™ — w is reducible in Fp[A] , A'" — is reducible either 
for all d £ N. However, due to the simplicity of algorithm f indBinomial(p, to) 
we do not take this fact into account. 

Finally, we turn to algorithm f indOEFCurve(Z\,p, r). This algorithm bases on 
f indCurve(Z\,p, /) in [BBOO]. The main differences come from the sub-algorithm 
f indRoot. As explained above, given a root jq of H mod p in Fpm , f indOEFCurve 
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f indBinomial(p, m) 

Input: Rational primes p and m with p = 1 mod m. 

Output: An irredncible binomial A’" — w in Fp[A] with minimal u £ IN. 

o) <— 2; 

while true do 

p — 1 

d ■!— uj mod p; 
if d 7^ 1 then 
return(A"“ — w); 
w <— w + 1; 



f indOEFCurve(Z\,p, r) 

Input: A fundamental imaginary qnadratic discriminant Z\ = 5 mod 8. 

A prime power p'” such that there exists an elliptic curve of prime order r over . 
Output: An elliptic curve E over Fpm with |E(Fpm)| = r and endomorphism ring of 
discriminant A. 

A generating point G of E(Fpm). 
jq f indRoot(A, p'”); 

Select a non-square Sq £ Fpm ; 

El ^ {aq,bq)\ E2 <— {aqSq,bqSq); //asslgu curve parameters 
Gi £_r (El (Fpm)) \ {O}; G2 €r (E2(Fpm)) \ {O}; //choose random points 
if rGi = O AND rG2 / O then 
return (Ei, Gi); 
else 

return (E2,G2); 



computes the coefficients of elliptic curves over F^m of order p™ + l±t, and it 
decides by trial and error, which of these curves is of order r. 

We next discuss f indRoot(Z\,p™), i.e. the proceeding to determine a root 
of H modp in Fpm. The first step of f indRoot(Z\,p"‘) consists in determining 
a generating polynomial of the Hilbert class field of Q(-\/^). In the literature 
one finds some proposals of polynomials with rather small coefficients. If 3 | Z\ 
we compute a polynomial due to Atkin and Morain (see [AM 93 ]). To be more 
precise, in this case we determine the minimal polynomial of • 72 ( ) 

over Q('\/A), where 72 is the unique cube root of j which is real- valued on the 
imaginary axis. We denote this polynomial by Ey. Let 72,5 € Fpm be a root 
of Ey mod p. Then 7!^ is a root of H mod p. If we have 3 | A, we compute 
the Hilbert polynomial H. For an efficient computation of Ey or H we refer to 
[BaiOla]. 

It remains to explain how to get a root of a polynomial E mod p that splits 
completely to linear factors in Fpm [A]. As in [BBOO] we make use of the LiDIA- 
function f ind_root(p™, E). As input this function requires a prime power p™ and 
a polynomial E £ 21 [A], such that E mod p splits into linear factors in Fpm [A]. 
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It returns a zero of P mod p in F^m. find_root uses the Cantor-Zassenhaus 
split (see [Coh95]) and a polynomial arithmetic due to Shoup [Sho95]. 

We finally present the main algorithm oefCurve. Given n, m, and hg, 
oef Curve first invokes f indField(n, m, ho). Once p, r, and A are determined, it 
calls the functions f indBinomial and f indOEFCurve. Finally, oefCurve returns 
{P,r, f,E,G). 



4 Running Times and Statistics 

We implemented our algorithms in C++ using the library LiDIA 2.0 and the 
GNU compiler 2.95.2 setting the optimization fiag -02 and using gmp 2.0.2 as 
underlying multiprecision package. The timings were measured on a Pentium III 
running Linux 2.2.14 at 850 MHz and having 128 MB of main memory. Hence 
the timings may be measured on any modern personal computer either. We 
present some sample running times of oef Curve(32, 5, ho) and CPU-timings for 
200 < ho < 250, 10 I ho, in table 1. More timings and statistical data may be 
found in [BaiOlb]. 



Table 1. Data delivered by oef Curve(32, 5, feo)- 



ho 


h 


Zi 


P 


OJ 


CPU-time in seconds 


200 


200 


-125579 


4294920991 


2 


21.8 


210 


210 


-265235 


4294903891 


7 


52.8 


220 


220 


-268931 


4294931761 


2 


65.3 


230 


230 


-405803 


4294931071 


2 


64.0 


240 


240 


-170651 


4294946191 


2 


38.5 


250 


250 


-254579 


4294940641 


3 


54.6 



Finally, we give some statistical data on the number of non-isomorphic el- 
liptic curves of prime order over Optimal Extension Fields F^a where p is a 
32-bit prime. First, we determine for each class number h with 200 < h < 400, 
h divisible by 5, the number of pairs {A,p), where A > —6000000 is a funda- 
mental discriminant congruent 5 mod 8 and p a 32-bit prime, such that there 
exists a cryptographically strong elliptic curve of prime order r over F^s hav- 
ing an endomorphism ring of discriminant A. In all, there are 5579 such tuples. 
Furthermore, in 4563 of the cases, the according field F^a is a Type II OEF. 
Next, we determine the number of non-isomorphic elliptic curves for the tu- 
ples (A,p) as above. For each such tuple (A,p) there are h{A) non-isomorphic 
elliptic curves having the properties cited above. In all, there are 1546830 non- 
isomorphic curves, and 1263850 of them are defined over a Type II OEF. We 
deduce that, even in our special case, the set of non-isomorphic curves for use 
in cryptography is sufficiently large to choose from. 
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Abstract. In 1999 Silverman [21] introdnced a family of binary finite 
fields which are composite extensions of F 2 and on which arithmetic 
operations can be performed more quickly than on prime extensions of 
F 2 of the same size. 

We present here a fast approach to elliptic curve cryptography using 
a distinguished subset of the set of Silverman fields F 2 V = F^n. This 
approach leads to a theoretical computation speedup over fields of the 
same size, using a standard point of view (cf. [7]). We also analyse their 
security against prime extension fields F 2 P, where p is prime, following 
the method of Menezes and Qu [12]. We conclude that our fields do 
not present any significant weakness towards the solution of the elliptic 
curve discrete logarithm problem and that often the Weil descent of 
Galbraith-Gaudry-Hess-Smart (GGHS) does not offer a better attack on 
elliptic curves defined over F 2 at than on those defined over F 2 P, with a 
prime p of the same size as N. 

A noteworthy example is provided by F 2226 : a generic elliptic curve 
+ XY = + aX"^ Y f) defined over F 2226 is as prone to the GGHS 

Weil descent attack as a generic curve defined on the NIST field F 2233 . 

Keywords. Finite fields, Weil descent, elliptic curve cryptography, fast 
performance. 



1 Introduction 

Elliptic curve cryptography was introduced in 1986 independently by Koblitz [10] 
and Miller [14] as a rich context where one can apply cryptographic protocols 
based on the discrete logarithm problem in a multiplicative group G: given 
a,b G G such that b = a"^, find d. 

However, the rich structure of elliptic curves made possible a wide variety of 
attacks that must be avoided in the design of elliptic curve cryptosystems such 

* The work described in this paper has been supported by the European Commission 
through the 1ST Programme under Contract IST-1999-12324. 
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as ECIES or ECDSA. Some of these attacks rely on a peculiarity of a curve or 
a family of curves, such as supersingular elliptic curves [13], or elliptic curves of 
trace one [22,18,19]. 

Nevertheless, in general, such elliptic curves can be easily avoided, except 
in the case when the field F/jn is intrinsically weak, and this may happen when 
h = 2^ with I > 4 [23] . Indeed Galbraith-Gaudry-Hess-Smart devised a practical 
implementation of the Weil descent to compute discrete logarithms in F 2 N for 
composite iV’s. This result seemed to preclude the use of composite binary fields 
for elliptic curve cryptography. 

On the other hand, Silverman [21] (and independently in 1989 Ito-Tsujii [9]) 
proved that basic field operations can be implemented very quickly on certain 
composite binary extensions, namely extensions F 2 p~i, with prime p such that 2 
is a primitive root modulo p, which we will call Silverman fields. 

The goal of the present article is to resuscitate elliptic curve cryptography 
over the Silverman fields F 2 P- 1 . The idea is to choose Sophie Germain primes 
(5tJ-primes) q so that F 22 P = F 2 P- 1 . In this way we will be able to keep a good 
performance record since we are working with Silverman fields while at the same 
time ensuring an excellent security against the Galbraith-Gaudry-Hess-Smart 
attack, since F 229 is a “quasi-prime extension” {1 = 2). 

2 Definitions, Setup and Performance 

In this section we describe the working representations of the binary fields F 2 " 
as well as of the ring Rp which is used to speed up computations in F 2 P- 1 . 

Let n be a positive integer. The field F 2 " is generally regarded as a quotient 
F 2 [A]/(P(A)) where P{X) is an irreducible polynomial of degree n over F 2 . 
Each element a of F 2 " is viewed as a polynomial ctiX’' modulo P{X) and 

denoted (oq) • ■ • In the case of NIST fields, one chooses n to be prime 

and P{X) to be a trinomial or a pentanomial in order to minimise field operation 
cost on machines. 

Let p be a prime. We denote := X^~^ + XP~‘^ -|- . . . -I- X"^ -|- A -|- 1 

(mod 2). It is well known that (!>p{X) is an irreducible polynomial over F 2 [A] 
if and only if 2 is a primitive root modulo p. This condition is equivalent to 
2 (P“i)/* ^ 1 (mod p) for every prime I dividing p — 1. A prime p such that 2 is 
a primitive root modulo p is called a primitive prime (to the base 2 ). 

Examples of primitive primes include 101, 107, 131, 139 etc. There is a fa- 
mous conjecture by E. Artin that there are infinitely many such primes, and 
that they have a natural density. However, neither of those two assertions has 
been proved yet, although Hooley [ 8 ] deduced the Artin conjecture from the 
generalised Riemann hypothesis. 

Following [21] we introduce Rp = ¥ 2 [X]/{X'p -1-1). In the sequel we will 
suppose that the prime p is primitive. If this is the case then 

Rp = F2P-1 X F2. 

We can pass from i?p to F 2 P -1 in both directions very easily and this canonical 
projection is very fast. 
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Here is the list of primitive primes 100 < p < 1200 such that q = {p — 1) /2 
is also prime: 107, 179, 227, 1019, 1187. Their number is quite sparse but from 
probabilistic methods one conjectures that the number of such primes less than 
cc is « cc/ log^ x,^ hence we may find them as large as needed. 

Let us consider the performance of the relevant arithmetic operations, used 
on elliptic curve cryptosystem, over the field F 2 N, where, following Silverman, 
we have denoted N = p — 1. Algorithms for each basic operation are available 
in [21]. 

Considering F 2 P as a F 2 -space vector of dimension p, we define the trinomial 
basis (resp. pentanomial basis) to be the canonical basis of F 2 P under the isomor- 
phism F 2 P = W 2 [X]/ P{X), with P{X) irreducible trinomial (resp. pentanomial) 
in F 2 of degree p. 

Addition in Rp is a very straightforward operation taking up as much time 
as in F 2 P, since we have to XOR words with similar size. 

Squaring of Rp elements proceeds by defining two other elements which are 
XORed to produce the output. The squaring operation is related to reordering 
the Oi’s and is as efficient as if using optimal normal bases [3]. 

Multiplication of two elements of Rp is twice as efficient as optimal nor- 
mal basis multiplication or Montgomery multiplication. In the particular case of 
trinomial or pentanomial basis, this achievement is less significant. 

Modular inversions are somewhat simple using a modified Almost Inverse 
Algorithm (AIA). For more details and implementations see [7,21]. 

Finally the speedup comes only from the underlying field arithmetic and 
not from a specific curve, like Koblitz curves [11], or specific computation tech- 
niques [24]. All generic exponentiation methods [6], like for example the NAF 
method [15], can be used in this particular type of extension. 

A notable feature of our analysis is the conjunct use of primitive primes p 
and of 5^-primes q = {p — l)/2. The former property is necessary to insure 
a good performance, while the latter leads to the claimed security of the field 

F229 = F2N = F2P-1. 

We therefore analyse the security of the Silverman fields F 2 n for elliptic curve 
cryptography. 

3 On the Security 

of the Elliptic Curve Discrete Logarithm over F22q 

In this section we will use the following notation: we let n, I be two positive 
integers, h = 2\ K = F/jn and k = F/j. 



^ If / and g are non-negative functions, we write f(x) « g{x) if there exist ci, C 2 
positive nnmbers snch that cig{x) < f{x) < C2g(x). We are not interested in formu- 
lating a precise asymptotic formnla here, only a lower bound (the upper bound is 
classical). 
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3.1 Generic Attacks on Elliptic and Hyperelliptic Curves 

When using elliptic curve cryptography, one must prevail against known attacks 
on the elliptic curve discrete logarithm problem. For an elliptic curve E defined 
over F 2 V these are: 

1. Pollard’s p algorithm [17], which has a running time of 0(2^/^G), where to 
is the time to perform an addition of two points on the curve, 

2. the baby step-giant step algorithm, due to Shanks [20], which runs in 
0{N2^/Ho). 

To solve the discrete logarithm problem on the Jacobian of a hyperelliptic 
curve H of genus g defined over k, one resorts to five methods: 

1. Pollard’s p [17], which has a running time of log^ h) bit operations, 

since card Jac(iJ) « /i® and a group operation on Jac(il) takes 0(g^log^ q) 
bit operations using Cantor’s algorithm [1], 

2. the baby step-giant step algorithm, due to Shanks [20], which runs in 
0(g3/iS/2log3 h), 

3. the Pohlig-Hellman algorithm [16], which is not better than Pollard’s p if 
card Jac(i7) has a large prime factor, which is the case by the Gaudry-Hess- 
Smart construction of Jac(i7), 

4. the Enge-Gaudry subexponential [2] algorithm with estimated running time 
O (^exp((v^ -b 0(1)) 1/5 log /i(log g + log log h))^ as g/logh goes to infinity; 

this method is not applicable when h® is too large, say around 2^°^"^, hence 
when g > 2^°. 

5. Gaudry’s algorithm [4], a variation of the classical index-calculus algorithm, 
with running time 0{g^h^ log^ h + g^g\ hlog^ h). Actually when g is fixed, 
Gaudry’s algorithm runs in 0{h^) which is better than Pollard’s p when 
g > A . However this method is impractical when g > 31 (using a modified 
version due to Enge-Gaudry). 

The recent work of Gaudry, Hess and Smart [5] (GHS) shows how, for a large 
proportion of elliptic curves E defined over a binary field F, the discrete loga- 
rithm problem on a subgroup of if (F) can be transposed to the same problem on a 
subgroup of the Jacobian of an hyperelliptic curve. Gaudry’s algorithm [4] then 
manages to solve this equivalent discrete logarithm in a substantially quicker 
time than the standard methods of Pollard or Shanks. 



3.2 Description of the GHS Implementation of the Weil Descent 

We give here an account of the Weil descent method of Gaudry, Hess and Smart. 
Let E/K be an elliptic curve. A theorem of Weil says that one can define 
an abelian variety A/k (defined over the smaller field) such that canonically 
A{k) = E{K). In our case A = E x E'^ x • • • x E'^ , where a is the Frobenius 

automorphism of k. 
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In practice, one starts from a WeierstraB equation over K, say 

+ XY = + aX"^ + P, P^O. (1) 

Given a fc-basis {po, pi, , pn-i} of K, we express 

(lopo + dlpl + • • • + ttn-lpn-l, 
bopo + blpl H h bn-lpn-l, 

XoPo + Xipi H h Xn-lPn-1, 

yoPo + yiPi-\ 1 - yn-iPn- 1 - 

Substituting the latter equations into the former defining the elliptic curve and 
equating coefficients of the pPs, we have defined an abelian variety A over k, 
obtained by Weil descent from E. Note that | card A(fc) — /i” — 1| < by the 

Hasse bound. 

Let G be a point of E of large prime order £ (say about h”) and (G) the 
cyclic group generated by G. Let P = dG for some unknown d G [1,£ — 1]. The 
problem of the discrete logarithm in (G) C E consists in finding d, knowing P, G 
and of course E. 

Although the statement of the discrete logarithm problem involves only the 
cyclic structure of (G), the solution to this problem often depends on a suitable 
embedding of the group into a richer algebraic structure. Also, since A(k) = 
E{K), we deduce that (G) can be embedded into an irreducible subvariety B 
of A. 

It happens that under some hypothesis, it is possible to explicitly find an 
hyperelliptic curve PI G A of genus g such that its Jacobian has an irreducible 
component isogenous to B. One can also give a formula for g, namely g = 2*”“^ or 
2"*“^ — 1, where 1 < m < n is the F 2 -dimension of some vector space (see below). 

To put it otherwise, there exists an explicitly computable homomorphism 
E(K) — > Jac(iL) such that its kernel does not contain (G). Hence the problem 
of solving the discrete logarithm in (G) C E is translated into finding the same 
d as above with respect to a subgroup isomorphic to (G) sitting inside Jac(iL). 
Since there exists a fast (in 0{h^~^p) algorithm, due to Gaudry, to find discrete 
logarithms there, the problem is noticeably simplified. 

A consequence is that such elliptic curves as those we started with should 
be avoided for cryptographical purposes. In general, this reasoning has brought 
the conclusion that elliptic curves defined over composite extension fields of F 2 
should be eschewed by cryptographers. However, specific curves, such as Koblitz 
curves (defined over F 2 ), currently thwart this kind of attack. 

On the other hand it should be noticed that the current approach to the Weil 
descent breaks down if n < 4, since in this case the Pollard p method solves the 
discrete logarithm problem on E{K) in = 0(/i^/^), that is faster than 

through the aforementioned approach. 

Similarly Menezes and Qu [12] proved that the fields F 2 P are immune to 
the GHS version of the Weil descent attack. Our goal is next to extend their 
approach to establish the security of the fields F 229 , when q is prime. 
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3.3 The Menezes and Qu Analysis 

Suppose that the elliptic curve is given in WeierstraB form as in (1). Let ^ 
denote the inverse of Frobenius in F2. The definition of the number m in the 
genus formula above is given by 

m{j3) = dimp2 (Spanj.^ |(1, ^J %), . . . , (1, , 

where (3i = (3^ is the i-th power of the Frobenius automorphism a (over k). 

Menezes and Qu define another value, fh{(3), closely related to m{(3), by the 
formula 

m(/3) = dimFs (^SpauF^ | . . . , . 

To see how the two values are related, let n = 2®ni, where rii is odd, and let 
t = 2®. The polynomial x" + 1 factors in F2[x] as (/o/i • • • fsY, where fo = x + 1 
and the /^’s are distinct irreducible polynomials in F2[a;] with deg fi = di. 

We view K as a, F2-vector space and ct as a F2-endomorphism of K. The 
unique polynomial / of least degree in F2[a;] such that f{a) = 0 in End(A) is 
x” + 1. In particular K is the null space of ct" + 1. 

The idea of Menezes and Qu is to decompose the field K into a direct sum 
of subspaces corresponding to the null spaces of the factors /*(ct). One has 

S 

K = ^Wi, 
i=0 



where Wi = ker /* (cr) . 

Let 7 G A. By what precedes, we can write uniquely 7 = where 

7i G Wi- For 0 < t < s, define 

ji = jih) = min > 0 : 7i G ker // (ct) | . 

We define the type of 7 to be (jo, ■ ■ ■ ,js)- 

The relation between m(/3) and m{(3) appears as Theorem 6 in [12]. It states 

Theorem 1 (Menezes and Qn). Let (3 G K = F/,n. Then 

= ifjo(v^)y^O, 

|m(/3) + l, ifjo(V/3)=0. 

Furthermore, Menezes and Qu give a complete description of the values taken 
on by m(/3) when /? G A. They also give the number of elements of A with given 
value TO. Their result appears as Theorem 5, which we recall here. 

Theorem 2 (Menezes and Qn). Let 7 G A = Fft,n. Then the admissible 

S 

values for 771(7) are where each ji G [0,^]. Moreover, there are pre- 

2 = 0 
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cisely i)di^ elements € K of type (jo,---,Js) with 

i=0,ji^O 

S 

Ml) = 

i=0 

3.4 GHS Weil Descent from the Fields ¥ 2 ^^ 

We are interested in this paper in fathoming in the fashion of Menezes and Qu 
the security of the field K = F/jn , where h = 2^ and n = qis prime, as we descend 
to the subfield k = ¥h- In particular we will consider the case where I = 2, thus 
producing highly secure fields F229, since they are “quasi-prime extensions” of 
F2. We follow the reasoning of [12]. 

Since cardJac(i/) = + 0{h^^^) and the success of Gaudry’s algorithm 

depends clearly on the magnitude of 3ac{H), Menezes and Qu observe that 
currently the GHS approach to the Weil descent is ineffective whenever > 
21024^ When h = 2, this imposes a lower security bound such as m > 11. Also in 
the case when m = 1, the GHS method is ineffective, since the curve obtained 
by Weil descent is elliptic (this is the case of Koblitz curves). 

From the Menezes and Qu analysis, more specifically from Theorem 2 one 
immediately deduces that the admissible values of rh (and hence m) in the Weil 
descent do not depend on I, that is on the degree of F/j over F2, but only on n, 
the degree of F?jn over F/j. Notice that to(/ 3) = 1 if and only if /3 S F/j. 

More specifically, if ft. = 4, then the field F22<j contains F2«,F4 and F2 as 
proper subfields. 

Going down from F229 to F4 by the previous observation and the experimental 
results of [12] we deduce that the admissible values (greater than 1) of m are 
greater than 16 when q G [100, 600] and q 127. Hence the same holds a fortiori 
when we descend to F2, since the relative m does not decrease (cf. the definition 
of to). 

As for the descent from F229 to F29, the degree of the descent is 2 and 
the hyperelliptic curve found by the method of GHS has genus at most two. 
For such curves, it is well known that Pollard rho is still more efficient than 
Gaudry’s algorithm to compute discrete logarithms, hence the GHS attack fails 
for all elliptic curves over F229 with q G [100, 600] and q 127 and in general 
we can affirm that, when considering Weil descent via GHS, the security of the 
field F229 for elliptic curve cryptography is at least as strong as the security of 
the field F2<?. 

4 Conclusion 

We have produced a sequence of fields F2 n, such as 

F2178, F2226, F21018, F21186, 

which are secure for elliptic curve cryptography. Indeed the GHS Weil descent 
attack on elliptic curves defined over these fields produces hyperelliptic curves 
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of genus at least 2™“^ — 1, where m > 12,29,509,149 respectively. Therefore 
the elliptic discrete logarithm problem on these curves is currently out of reach 
of known attacks. As an example the field F 2226 offers the same order of security 
against the GHS attack as the NIST field F 2233 where the corresponding lower 
bound on m is 30. 

Moreover the performance of basic field operations in the fields F 2 N is faster 
than in the fields F 2 iv+i = F 2 P. 
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Abstract. Prameproof and identifying parent property codes and their 
relationship to hash families and error correcting codes are studied. A 
upper bound on the size of such codes is presented. A generalization of 
identifying parent property is introduced and studied in terms of a new 
class of hash families - the strong separating hash families. Asymptotic 
consequences of some recursive construction techniques are described. 



1 Introduction 

Codes providing certain forms of traceability have been studied for their appli- 
cations to protection of intellectual property rights. The weakest form of such 
codes provides protection against the possibility of a user being framed by a 
coalition of users. Such codes are called frameproof codes and were introduced 
by Boneh and Shaw [5]. A stronger notion introduced in [12] and called secure 
frameproof code is protection against two disjoint coalition being able to pro- 
duce a common descendant. The strongest version studied in this paper is called 
the identifying parent property (IPP) and requires the condition that if a set of 
coalitions is able to produce a common descendant then the coalitions must have 
a codeword in common (the identifying parent). This concept was introduced 
in [8]. 

The class of codes with traceability property have been studied by several 
authors. A systematic combinatorial study have been carried out in [10]. In a 
recent work, Blackburn [2] have provided an upper bound on the cardinality of 
frameproof codes. Also [2] provides the counterexample of length 5, 3-frameproof 
code to show that the coefficient of the leading term in the upper bound is not 
tight. We build on this counterexample to show that in most cases the coefficient 
of the upper bound is not tight. 

A sufficient condition for the existence of IPP codes has been obtained in 
terms of perfect hash families in [10]. This raised the question of existence of 
IPP codes for certain values of the parameters. This question was resolved in [4] 
by the probabilistic method and using a new family of hash functions called the 
partially hashing family. We introduce a natural generalization of perfect and 
separating hash family called the strong separating hash family which turns out 
to be equivalent to the class of partially hashing property. We introduce a gen- 
eralization of IPP codes and obtain a hierarchy of codes between the frameproof 
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and IPP codes. The existence of these codes are studied in terms of the strong 
separating hash family and error correcting codes. 

Frameproof and IPP codes can be constructed from suitable hash fami- 
lies which in turn can be construted from error correcting codes. We explore 
this theme in conjunction with a recursive composition type construction used 
in [8,13]. It turns out that for each size of the alphabet and strength of the code 
it is possible to construct these classes of codes having a fixed relation between 
the length and cardinality. 

Due to lack of space, some of the proofs cannot be presented in the paper. 
These proofs can be found in the technical report [9]. 

2 Hash Functions 

Let be a family of N functions from {1, . . . , n} to the alphabet Q of cardinality 
q. The family Ti. is called an (iV, n, q) hash family. Given an (N, n, q) hash family 
we can obtain an IV x n matrix by enumerating the values of all the functions. 
Sometimes it is easier to consider hash families as such matrices. 

Definition 1. We consider the following kinds of hash families. 

1. Perfect hash family : An (N,n,q) hash family H is called an (N,n,q,w) 
perfect hash family ({N,n,q,w)-PHF) if for any subset S C {l,...,fV} of 
cardinality w, there is a function f G H such that f is injective on S. 

2. Separating Hash Family : An (N,n,q) hash family H is called an 
(TV, n, q, wi,W 2 ) separating hash family ({N, n, q, wi,W 2 )-SHF) if for any two 
disjoint subsets A, B of {1, ... ,n} with |A| = wi and \B\ = W 2 , there is a 
function f in H such that f{A) and f{B) are also disjoint. 

3. Strong Separating Hash Family : An {N, n, q) hash family H is called 
an (N,n,q,wi,W 2 ) strong separating hash family ({N,n, q,wi,W 2 )-SSF[F) if 
for any two disjoint subsets A,B C {1, . . . , n} with |xl| = wi and \B\ = W 2 , 
there is a function / G such that f is injective on A and f{A) f]f{B) = %. 

j. Partially Hashing Family : [j] An (N,n,q) hash family H is called an 
(N,n,q,t,u) partially hashing family ({N,n,q,t,u)-PAHF) if for any two 
subsets T,U C {!,..., n} such that T C U, |T| = t, \U\ = u, there is a 
function f in H such that for any x G T and any y G U, if y ^ x, we have 

fix) + fly)- 

See [6] for a survey on perfect hash families. The concept of separating hash fam- 
ilies was introduced in [11] and that of partially hashing families was introduced 
in [4]. 

We now relate strong separating hash and partially hashing properties to 
the other hashing properties. The following is immediate from the definition of 
strong separating hash property. 

Theorem 1. Let H be an (N,n,q) hash family. 

1. IfH is an iN,n,q,wi,W 2 )-SSF[F, then it is simultaneously an (N ,n,q,wi,W 2 )~ 
SFIF and an (N,n, q,wi)-PP[F. 
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2. If H is an {N,n,q,wi + W 2 )-PHF, then it is an {N,n,q,wi,W 2 )-SSHF. 

3. IfH is an {N,n,q,wi,W 2 )-SSHF, then it is an {N,n,q,t\,t 2 )-SSHF for any 
ti < wi and t 2 < W 2 - 

It is not difficult to see that the converse of Theorem 1(1) does not in gen- 
eral hold. We now show the equivalence of strong separating hash and partially 
hashing property. 

Theorem 2. A hash family H is an {N,n, q,Wi,W 2 )-SSHF iff it is an 
{N, n, q, Wi,Wi + W 2 )-PAHF. 

Proof : Suppose H is an {N,n,q,Wi,W 2 )-SS}iF. We will show that H is an 
{N,n, q,wi,wi -I- W 2 )-PAHF. Let A C B C {l,...,n}, with |yl| = wi, \B\ = 
Wi+W 2 - Let C = B — A. Then \C\ = W 2 and CnA = 0. By the strong separating 
hash property there is an / such that / is injective on A and f(A) n /(C) = 0. 
Let X € A and y G B with x y. There are two cases to consider. 

1. y G A. Since / is injective on A, f{x) yf f{y)- 

2. yGB- A. Since C = B - A and f{A) n /(C) = 0, f{x) ^ f{y). 

Thus in both cases f{x) yf f{y) and hence H is an {N, n, q, wi,wi + W 2 )-PAHF. 

Conversely, suppose H is an {N,n,q,Wi,Wi + ru 2 )-PAHF. We show H is 
an (TV, n, <7, rci, W 2 )-SSHF. Let A,B C {l,...,n}, with AC\B = %, |A| = w\, 
\B\ = W 2 - Let C = AUB. Then |C| = W 1 +W 2 and A C C. Thus by the partially 
hashing property there is a function / such that ii x G A and y G C and x y, 
then f{x) yf f{y). It is not difficult to argue that this / must be injective on A 
and f(A) H f(B) =0. Hence H is an {N, n, q, Wi , ru 2 )-SSHF. □ 

We present a sufficient condition for the existence of separating hash families 
based on error correcting codes. An (n, N, q, D) error correcting code is a set 
C C of n codewords where |(5| = q and the distance between any pair of 
codewords is at least D. We denote by hd{x,y) the Hamming distance between 
two codewords x,y. 

The ideas in the following theorem are present in [7,1,13] and a proof can be 
found in [9]. 

Theorem 3. Let C be an (n, N, q, D) error eorrecting code with 

)■ W 

V (2) + ^i^2y 

Then 'H(C) is an {N,n,q,wi,W 2 )-SSHF. 

It is now easy to see that all the construction techniques (direct and recursive) 
used in [13] for the construction of perfect and separating hash functions can be 
applied to construct strong separating hash functions. In particular, we get the 
following result using the recursive construction technique of [13]. 

Theorem 4. For positive integers q, w\ and W 2 , there exists an infinite class 
of {N, n, q, Wi,W 2 )-SSHF for which N is 0{{wi{wi + ^ 2 ))*°®* " logn). 




120 



P. Sarkar and D.R. Stinson 



3 Traceability Codes 

Let Q be an alphabet of size q and C be a subset of of cardinality n. We 
will call C an (n, N, q) code and the elements of C to be codewords or simply 
words. It is sometimes convenient to consider C = {cij) to be an n x matrix 
with elements from the set Q. Let elemc(j) be the set of all elements that occur 
in the jth column of C, i.e., elemc(j) = {a € Q : a = for some 1 < i < n}. 
When the code is understood we will write elem(t) instead of elem( 7 (t). Define 

desc(C') = elemc(l) x . . . x elemc(lV). 

The set desc(C') is called the descendant code of C. Clearly C C desc(C'). We 
make a few remarks on the connection between C and desc((7). 

The connection of codes and hash families follows from the fact that if C 
is an (n, N, q) code then C'^ can be considered to be the matrix obtained from 
an {N, n, q) hash family and conversely. Here denotes the transpose of the 
matrix C. Thus given an (n, N, q) code C, we think of the columns of the matrix 
C as the functions of the associated hash family. This makes it easier to state 
many of the results below. Following [10], we will denote by 'H{C) the hash 
family obtained from the code C. The proof of the following result can be found 
in [9]. 

Lemma 1. Let x G and C he a minimal (n, N, q) code over Q such that 
X € desc(C') — C. Then 'H(C) is an {N,n,q,n — 1, 1)-SHF. Conversely, if C is 
an (n, N, q) code such that 'H(C) is a minimal {N, n,q,n — 1, 1)-SHF, then there 
is an X G such that x G desc(C) — C. 

Suppose C is an (n,N,q) code such that |elem(j)| = q for all I < j < N. 
Then C = desc(C') iff C = . Here we note that if we consider the codewords 

to be one way infinite strings over Q (i.e., elements of and C is an infinite 
subset of then C is a proper subset of desc(C), since by diagonalization it 
is possible to construct a string in desc(C') which is not in C. 

Let C be an (n,N,q) code. We will call a subset D of C to be a coalition 
and if a codeword x is in desc(D), then we say that D produces x. We define 
desCu)(C), the w-descendant code, in the following manner. 

desc„(C') = [J desc(C'o). 

CoCC,\Cq\<w 

The set desc^(C) consists of all codewords which could have been produced by 
subsets of C of size atmost w. We next define the important classes of codes. 

Definition 2. Let C he an (n,N,q) code. We now define certain traceahility 
properties such a code might possess. These are the proerties we will consider in 
this paper. A stronger notion of traceahility exists (see for example [10]). 

1. Frameproof : We say that C is an {n, N,q,w)-FP code if the following 
condition holds. For any subset Cq of C of cardinality atmost w, if x G 
desc(Co) n C then x G Cq. 
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2. Secure Frameproof : We say that C is (n, N, q, w)-SFP code if the follow- 
ing condition holds. For any two subsets Cq,Ci of C of cardinality atmost 
w, we have that desc(Co) n descCi ^ 0 implies Cq n Ci ^ 0. 

3. Identifying Parent Property : We say that C is an {n, N,q,w)-IPP code 
if the following condition holds. Let {Ci, . . . , Ca} be a family of subsets of 
C where each Ci is of cardinality atmost w. Then we must have that 

Pi desc(C'i) 7^ 0 implies P 

l<i<a l<z<Q: 

The relationships among these classes of codes and their relationships to other 
combinatorial structures such as PHF, SHF and cover free families have been 
studied in [10]. Here we briefly mention some of these relations. We use the 
notation P\ < P 2 to denote the fact that property P 2 implies property Pi. 

Proposition 1. [10] The following relationships hold for any (n,N,q) code. 

{n,N,q,w)-FP < {n, N,q,w)-SFP < {n, N,q,w)-IPP. 

Theorem 5. [11] 

1. A code C is an {n, N,q,w)-FP code iff H{C) is an (N,n,q,w,l)-SHF. 

2. A code C is an {n, N, q,w)-SFP code iffTi{C) is an {N,n,q,w,w)-SFP. 



Theorem 6. [8, Lemma 1] A code C is an {n,N,q,2)-LPPiffH{C) is both an 
{N, n, q, 3)-PHF and an {N, n, q, 2, 2)-SHF. 

A characterization of (n, A^, g, 3)-IPP codes appear in [4]. 

4 Frameproof Codes 

In [10], it was shown that for an (n, N, q, rc)-FP code n < w{q^^^ — 1). This was 
improved in [2] where it has been shown that 

n < max{gl^“^ , — 1) + (w — r)(gL» J — 1)}^ (2) 

where r is the unique integer in ru} such that r = N mod w. Also in [2], 

an example of an (n,5,g, 3)-FP code was presented where n < + 3q. This 

example shows that the coefficient of the leading term of (2) is not always tight. 
Here we build on the counterexample of [2] to provide an upper bound which 
shows that the coefficient of the leading term of (2) is in most cases not tight. 
Following [2], we define 



Us = {x G C : there exists no y G C — {x} such that Xi = yi for all i G S}. 
The following crucial result has been proved in [2,10]. 
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Lemma 2. Let C he an {n,N,q,w)-FP code and S\,...,Syj is a partition of 
{1, . . . , N}. Then 

C = Usi U . . . U 

We require some preliminary results to prove the upper bound. These results 
are generalizations of the ideas present in [2]. 

In the following discussion we will fix an (n, N, q, w)-FP code C, where we 
write N = wt+r with r to be the unique integer in the range w}. Further 

we will only consider codes with r in the range 1 < r < w. Let L = fV}. 

Let Ti , T 2 be subsets of L satisfying 

1. |Ti| = |T2| = t+l, 

2. Ti n T 2 = 0, 

3. \Ut^ nt/Tal is the maximum among all pairs of subsets Ti,T 2 satisfying 1 
and 2 above. 

We put 



\UT,PUTf\ = kq*+\ (3) 

Clearly 0 < k < 1 . The next lemma and its corollary are important in obtaining 
our upper bound. The proofs can be found in [9]. 

Lemma 3. Let Si, S 2 be subsets of {1, , N} satisfying 

1. \Si\=\S2\=t+l, 

2 . |5in^2|=L 

Then \lJs 2 — < {r — l)kq*'^^ + {w — r)q*. 



Corollary 1. LetTi,T 2 be subsets of L such that |Ti| = IT 2 I = t+1 andTiC\T 2 = 
0. Then {Ut^ — Ut^\ < 2(r — l)kq*~^^ + 2(w — r)q* . 



Now we are in a position to prove the upper bound. 

Theorem 7. Let C be an (n, N, q, w)-FP code where N = wt + r and r is the 
unique integer in the set w} such that N = r mod w. Lf 1 < r < w, then 



n < 




LiJ A 

l + 2LiJ(r-l); 





Proof : Let Ti, . . . , Tu, be a partition of L = N}, such that Ti, . . . , are 

of cardinalities (t+1) each and T^+i, . . . ,T^ are of cardinalities t each. Further we 
choose Ti,T 2 such that \Uti H C/T 2 I = kq*~^^. Let ri = [|J and assume Utq = 0. 
We compute \C\ as follows. 



\C\ = \Uti U C/ 7’2 U . . . U 

< {\Uti\ + \Urf\ - \Uti n C/T2I) + ICT3I + . . . + 
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Using (3), we get the following bound on \C\. 

ICI < (r - + {w- r)q\ (4) 

Computing \C\ in a different way we get the following. 

\C\ = \Uti U C/ 7’2 U . . . U Ut^\ 

< (|C/Ti U C/T 2 I) + . . . + {\UT2r-i-l U Ut 2 ^J) + \UTr-2r-i \ + l^^r +1 I + • ■ • + \UtJ 

= {\UTi\ + \Ut2 - UtiI) + . . . + (|Ut 2 ^^_J + \UT2r^ - UT2r-,-l\) 

+ |C^T^_ 2 rJ + PTr+l \ + ■ ■ • + \UtJ 

For 1 < i < ri, we have using Corollary 1, 

\UT 2 i - C^T 2 i_il < 2 (r - l)kq*+^ + {w- r)q*. 

We use this to bound \C\ in another way as follows. 

\C\ < (r - n + 2kri{r - + (w - r)(2 + ri)g‘. (5) 

Combining (4) and (5) and eliminating k we get, 

|C|< (^ - l + + + ° 

Note : Subsequent to our work, Blackburn [3] has improved upon the upper 
bound in Theorem 7 by using techniques from extremal set theory based upon 
the Erdos-Ko-Rado theorem. 

We briefly consider the construction problem for frameproof codes. The first 
construction is simple and doubles both the alphabet size and cardinality of the 
code while maintaining the parameters w and N constant. 

Union Construction : Let C be an {n, N,q,w)-FP code on alphabet Q = 
{ai , . . . , Og}. Define Q' = {a'l , . . . , a^}. This ensures that Q H Q' = 0. Let C 
be an {n,N,q,w)-¥P code on alphabet Q' . Clearly C can be obtained from 
C by changing each element Cij of C to c'^. Let D = C U C . Then D is an 
(2n, N, 2q, ■u;)-FP code on alphabet Q U Q'. 

The correctness of the construction can be found in [9]. This construction 
immediately gives us the following result. 

Theorem 8 . Let C he an (n, N,q,w)-FP code. Then it is possible to construct 
{2^n, N,2^q,w)-FP codes for each integer i>l. 

Recursive Construction : From Theorem 5 we know that C is an (n, N, q, w)- 
FP code iff Tt{C) is an (iV, n, g, 1, w)-SHF. A recursive construction for 
(iV, n, q, rui, W 2 )-SHF was presented in [13]. Specializing this construction to the 
case of wi = 1 and W 2 = w we get the following result. 

Theorem 9. For any positive integers q and w, there exists an infinite class of 
(n, N, q, w)-FP codes for which N is " log n) . 
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5 IPP Codes 

In this section we study IPP codes. We present a necessary condition for IPP 
codes and introduce a generalization of IPP codes. Proofs for the next two results 
can be found in [9] . 

Theorem 10. Let C he an {n,N,q,w)-IPP code and x G desCu,(C). Then there 
is a nonempty set of indices S C IV} and a unique y G C, such that 

Xi = yi for all i G S. 



Theorem 11. Let C he an (n, N, q) code. Suppose for every x G desc„,(C), there 
is a nonempty set S C {!,... ,N} of columns and a unique y G C, such that 
for any i G S and any codeword z G C, Xi = Zi implies z = y. Then C is an 
(n, N, q, w)-LPP code. 



Corollary 2. Let C he an (n,N,q) code. Suppose for every x G desCuj(C), there 
is an index i and a y G C, such that for any z G C , Zi = Xi implies z = y. Then 
C is an (n, N,q,w)-LPP code. 

We now introduce a hierarchy of codes between the SFP and the IPP codes. 



Definition 3. Let C he an (n,N,q) code. Suppose for every k coalitions (I < 
k < f) Ci,...,Ck of C, each of size atmost w, x G 2 <^esc(Ci) implies 
PqLiCi yf 0. Then we call C to he an {n,N,q,w,t)-LPP code. 

Clearly the case t = 2 correspond to the SFP codes. The hierarchy relation 
is made clear in the following result which is immediate from the definition of 
(n, N, q, w, t)-IPP codes. 

Proposition 2. For an (n, N, q) code the following holds. 

(n,N,q,w) -SFP = {n,N,q,w, 2) -LPP < (n,N,q,w,S) -LPP 
< . . . < {n,N,q, w, )-LPP. 

Thus an (n, N, q, ru)-IPP code is always an (n, N, q, w, t)-IPP code for any fixed 
t. Thus the new codes are between the SFP and the IPP codes. 

An (n, N, q, w, (^))-IPP code is certainly an {n, N, q, ■u;)-IPP code. So a rel- 
evant question is whether the hierarchy of codes in Definition 3 is strict from 
t = ltot = (^). The next result shows that for w = 2, this is not the case. 
See [9] for a proof. 

Proposition 3. A code C is an {n, N, q,2)-LPP code iff it is an {n, N,q, 2,3)- 
IPP code. 

A sufficient condition for the existence of (n, N, q, w)-IPP codes can be ob- 
tained in terms of perfect hash families [10] and partially hashing families [4]. 
We provide a sufficient condition for the existence of {n,N,q,w,t)-IPP codes. 
The idea of the proof is from Theorem 2.8 of [10]. 
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Theorem 12. Let C he an (n,N,q) code. If H{C) is an {N,n,q,w,k{w + 2 — 
k) — w)-SSHF, where k is such that k(w + 2 — k) = max + 2 — z)|. Then C 

2<i<t 

is an (n, N,q,w,t)-IPP code. 

Proof : Let D = {Ci, . . . ,Cr} be a minimal set of coalitions such that x € 
n-L^desc(Ci) and CifzfCi = 0. Thus if we drop any Ci from D, then there is at 
least one codeword yi G Let E = U-LJCj and |i?| = (3. We now obtain 

an upper bound on j3. Each Ci contains the codewords yi, . . . , j/i+i , . . . ,yr 

and it can contain atmost w — (r — 1) other codewords. Hence 

(} <r + r{w — r + 1) = r{w + 2 — r). (6) 

We have H{C) to be an (N,n,q,w, /3 — w)-SSHF. Let H be a subset of E 

such that Cl C A and |H| = w. Clearly such an A exists. Let B = E — A. 
Then \B\ = fi — w. By the SSHF property, there is an / G H(C') (an index 
j G {1, . . . ,n}) such that |elerriyi(j)| = w and elem^(j) n elems(j) = 0. But this 
implies |elemcj(j)| = \C\\ and elemci(j) H elerri£;_Cj(j) = 0. Since x G desc(C'i), 
there is a codeword 2 G Ci, such that Zj = Xj. Since no codeword in E is 
present in all coalitions in D, let C be a coalition of D not containing 2 . But 
then X ^ desc(C'), since no codeword in C can equal x on index j. This is a 
contradiction. □ 

Corollary 3. Let C he an (n,N,q) code. LfH{C) is an {N,n,q,w, — 

w)-SSHF, then C is an {n,N,q,w)-IPP code. 

Proof : If t is not fixed, then the maximum value of (3 in (6) is . The 

rest of the argument is similar. □ 

Corollary 3 was obtained in [4] in terms of partially hashing property. In [4], 
the probablistic method based on Corollary 3 was used to show the existence 
of {n, N,q,w)-IPP codes for all g > w + 1. This also implies the existence of 
(n, N, q, w, t)-IPP codes for each t and q> w + 1. 

Theorem 3 can be used to provide a sufficient condition for the existence 
of IPP codes in terms of error correcting codes. Let C be an (n, N, q, D) error 
correcting code with 



Using Theorem 3 we have H(C') is an {N,n,q,w, P — w)-SSHF. ^From Theo- 
rem 12 and Corollary 3 we have the following. 



1. If /3 = k{w + 2 — k), where k is such that k{w + 2 — k) = max^{z(rc + 2 — z)}, 

then C is an (rz, N, q, w, t)-IPP code. 

2. If /3 = J , then C is an (rz, N, q, zc)-IPP code. 

Using this and Theorem 4, we get the following result. See [9] for a proof. 



Theorem 13. For any poitive integers q and w, there exists an infinite class of 
{n,N,q,w)-IPP codes for which N is ”logrz). 
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Abstract. In this paper, we consider a new class of unconditionally 
secure authentication codes, called linear authentication code (or linear 
A- code). We show that a linear A-code can be characterised by a fam- 
ily of subspaces of a vector space over a finite field. We then derive an 
upper bound on the size of source space when other parameters of the 
systems, that is the size of the key space and the authenticator space, 
and the deception probability, are fixed. We give constructions that are 
asymptotically close to the bound and show application of these codes 
in constructing distributed authentication systems. 

Key Words: Authentication Codes, Linear Authentication Codes, Dis- 
tributed Authentication Codes. 



1 Introduction 

Unconditionally secure authentication codes (A-codes) allow two trusting parties 
to communicate in the presence of an opponent who may construct a fraudulent 
message, and/or substitute a transmitted message with a fraudulent one. 

The construction of unconditionally secure authentication codes relies on a 
number of theoretical areas including design theory, finite geometry, coding the- 
ory, and information theory. Previous research on authentication theory has been 
mainly focussed on deriving bounds on parameters of A-codes and construction 
of codes with desirable properties such as having the minimum possible decep- 
tion probabilities and the minimum number of keys. In general, to describe the 
model of A-codes and characterise optimal codes, a combinatorial approaches is 
used. For example, numerous results are in the form “an A-code with certain 
properties exists if and only if a certain combinatorial structure exists” . 

In this paper, we introduce a new class of authentication codes, called linear 
A-codes. Linearity requires some additional algebraic properties for the A-codes; 
that is, we require both the key space and the authenticator space of the codes be 
vector spaces, and a source state to induce a linear mapping between them. The 
main motivation of linear A-codes stems from the study of distributed authenti- 
cation systems in which the functionality of authentication is to be distributed 
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among a number of participants. The extra algebraic property allows more effi- 
cient construction of such distributed systems. 

We characterise linear A-codes in terms of a family vector spaces over finite 
fields such that the dimension of the intersection of a pair of such subspaces does 
not exceed certain desired value (security parameter). We derive an upper bound 
on the number of possible source states of an A-code for given deception proba- 
bilities and number of keys, and give constructions that meet, or asymptotically 
meet, the bound. 

The paper is organised as follows. In section 2 we give definitions and review 
known results on A-codes that will be required for the rest of the paper. In 
section 3, we introduce linear A-codes and give characterisation of A-codes in 
terms of the families of subspaces of a vector space. Bounds on the number 
of source states and constructions that asymptotically meet the bounds, are 
given in sections 4 and 5. We show how linear A-codes can be used to construct 
distributed authentication schemes in section 6. Finally, we conclude the paper 
in section 7 and propose new research problems. 



2 Authentication Codes 

Authentication codes were first considered by Gilbert, MacWilliams and Sloane 
[9] . The general theory of unconditionally secure authentication systems has been 
initiated by Simmons ([17,18]) and extended by a number of authors (see, for 
example, [1,2,3,6,7,10,14,19,20,21,22,23]). 

In the conventional model for unconditionally secure authentication system, 
there are three participants: a transmitter, a receiver and an opponent. The 
transmitter wants to communicate a message to a receiver using a public channel 
which is subject to active attacks. That is, the opponent may impersonate the 
transmitter and insert a message into the channel, or replace a transmitted 
message with a fraudulent one. To protect against these attacks, the transmitter 
and the receiver share a secret key which is used to choose an authentication 
rule from an authentication code (A-code for short). 

A systematic A-code (or A-code without secrecy) is a code in which a message 
sent over the channel, consists of a source state (i.e. plaintext) concatenated with 
an authenticator (or a tag). Such a code is a triple {S, S, A) of finite sets together 
with a (authentication) function f : S x S ^ A. We sometimes denote the A- 
code by (5, S, A, /). Here S is the set of source states, £ is the set of keys and A 
is the set of authenticators. When the transmitter wants to send the source state 
s € S using a key e € £, which is secretly shared with the receiver, he transmits 
the message (s, a), where a = f{s, e) G A. When the receiver receives (s, a), she 
checks the authenticity of the message by verifying if a = f(s, e) holds, using 
the secret key e € £. If the equality holds, she accepts s as authentic. 

Suppose the opponent has the ability to insert messages into the channel 
and/or to modify the existing messages. An impersonation attack is when the 
opponent inserts a new message (s', a') into the channel. A substitution attack is 
when the opponent sees a message (s, a) and changes it to (s', a') where s yf s'. 
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A message (s, a) is called valid if there exists a key e such that a = f{s, e). We 
assume that there is a probability distribution on the source states, which is 
known to all the participants. Given the probability distribution on the source 
states, the receiver and the transmitter will choose a probability distribution for 
£. We will denote the probability of success of the opponent in impersonation 
and substitution attack, by Pj and Ps, respectively. In the remainder of the 
paper, we will always assume that the keys and the source states are uniformly 
distributed. In this case we can represent Pj and Ps as follows. 



Pi 



= max 

s,a 



|{ee^ 



I a=/(s.e)}| 



Ps 



= max max 

s,a s'^s,a' 



|{eg£ I a=f{8,e),a=f{s',e)}\ 
|{eg£:a=/(s,e)}| 



One of the goal of authentication theory is to derive bounds on various pa- 
rameters of A-codes and to construct A-codes with desired properties. For a 
review of different bounds and constructions for A-codes, refer to [10,21,12]. 



3 Linear Authentication Codes 

Consider an A-code {S,£,A, /). For each key e G £, the authentication function 
r-s y.£ ^ A induces a mapping ipe from 5 to A defined by i/'e (s) = /(s, e) , Vs G 
S. Thus, the A-code (S,£,A,f) can be characterised completely by the family 
of mappings {ipe \ e G £}, and vice versa. An attractive family of mappings 
is obtained from almost strongly universal hash families, which was introduced 
by Wegman and Carter [22] and has been the basis of the most combinatorial 
constructions. More details on the connection between almost strongly universal 
hash families and A-codes can be found in [2,22,21]. 

A source state s G 5 in an A-code {S, £, A, f) can also be uniquely associated 
with a mapping (ps from £ to A defined by (ps{e) = /(s, e),Ve G £. Then, 
again, the A-code {S, £, A, /) can be characterised by a family of mapping <P = 
I s G In a conventional authentication system the key space £ and the 
authenticator space A do not have any algebraic structures. We Consider A- 
codes in which £ and A have algebraic structures. In particular, £ and A are 
vector spaces over a finite filed F^, and is a family of Fp-linear mappings from 
£ to A. These codes are called linear A-codes. As will be shown in section 6, 
linear A-codes are useful in constructing distributed authentication schemes. 

Definition 1. An A-code (S,£,A,f) is linear over Fg if 

(i) £ and A are finite dimensional vector spaces over F^ ; 

(ii) For all s G S, (ps defined by (ps{e) = f{s, e) is an Fq-linear mapping from £ 
to A. 

We identify S with = {(ps \ s G S'}, and write the A-code as (<P,£,A,f) 
to emphasis that the source states are represented as linear mappings. We may 
assume that S = F” and A = F™. Given a basis ei, 62, . . . , e„ of S and a basis 
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ai,02, . . . of A, a linear mapping </>€<?, can be represented by a unique 
n X m matrix A over F, such that 4>{e) = eA,\/e G £. If V and W are two 
vector spaces over F^, and </> is a linear mapping from V to W, we will denote 
Ker(</>) = {v G V \ (j){v) = 0 }. Obviously, Ker((/)) is a subspace of V and its 
dimension is denoted by dim(Ker(^)). 

Next, we compute the success probabilities of impersonation and substitution 
attacks for a linear A-code. For the impersonation attack, we have 



Pj = max max 
a^A 

= 



|{e I </.(e) 



1^1 



a}| 



where 7 = max0g,i>{dim(Ker((/))) | (j) G <P}. Clearly, j < n — m, and if equality 
holds then Pj achieves the maximal value. In this case, each <j) is onto, i.e., 
</>,(£) = A,VsG 5. 

For the substitution attach, we have 

P, = „ax „ax He 10(e) = 4n{eU-(c)=a-)| 

a,a'^A \{e I </>(e) = 0}| 

It follows that both Pj and P5 must be the reciprocals of a power q. That is 
Pj = q~* and Ps = q~"^ for some integers t and d, t ^ d, and so performance of 
a linear A-code over Fg can be determined by the parameters \d>\, n, m, t and d. 
For a given t and d (which correspond to the security level of the A-code), and 
n and m (which correspond to the key size and the length of tag), we would like 
to have \<P\ as large as possible. Equivalently, for given t,d and | 5 | (the number 
of sources), we would like to construct linear A-code with \<P\ = | 5 | such that n 
and m are as small as possible. 

Let V{n, q) denote the n dimensional linear space over Fg. 

Definition 2. A linear A-code (5,£,A) is called an [n, M, t,d] linear A-code if 
|5| = M, l^l = q^,Pi = l/g‘ and Pg = f/q^. 



Theorem 1. There exists an [n, M, t, d] linear A-code if and only if there exists 
a family of subspaces of V (n, q), 

C = {L \ L is a subspace of V{a,q)} 



such that 

(t) |£| = M; 

(a) dim(L) = n — t, VL G C; 

(Hi) dim(L CL') <n-(t-\- d), VL, L' G C,L ^ L' . 
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4 Bounds on Linear A-codes 



In an [n, M,t,d] linear A-code over Fg, given n,t and d we would like to have 
M as large as possible. In this section, we will derive some upper bounds on M . 
We denote M{n,t,d,q) the maximal M for which an [n,M,t,d] linear A-code 
over Fq exists. 

denotes the Gaussian coefficient. ^ Then the number of fc-dimensional 

9 




subspaces of V (n, q) is 



n 

k 



which gives an upper bound for M(n,t,d,q). The 



L J q 

following theorem improves the result. 



Theorem 2. In an [n, M, t, cf| linear A-code over F^, we have 



M[n,t,d,q\ < 



n 

n — (t d) 1 



/ 



n — t 

n — (t d) 1 



For any fixed n and k, as q oo we have 



n 

k 



J? 



(g” - 1)((?”-^ - 1) . . . - 1) 

- 1) • • ■ (d- 1) 

q{n-k)k ^ 



It follows that 



M < 



■ — (t -l- d) -l- 1 



n — t 

n — (t d) 1 









— qi^-it+d)-ei)t 



( 1 ) 



In the next section we give a construction that meets the asymptotic bound 
in (I). 

It is also worth pointing out that while in the general theory of A-codes, it 
is possible that the size of source states grow exponentially with the size of key, 
for example the construction based on universal hash family (see, for example, 
[22,2,21,23]), because of the structure restriction, this will not be true for linear 
A-codes. In fact, from Theorem 1 it is easy to see that log^ |5| <n^ = (log^ \£\)'^i 
and this bound can be asymptotically achieved. For example, if (t-|-d) — 1 « t « 
t « u/2, then, as we will show in the next section, we will have a linear A-code 
with logg M{n, t, d, q) « n^/4. 

^ The Gaussian coefficient is defined as 



n 

k 



J 9 



(<?'= - - 1) ... (g - 1) 
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5 Constructions 

Rank distance codes [8] have been used to construct distributed authentication 
schemes such as A^-codes by Johansson [11] and group authentication by van 
Dijk et al [7]. Inspired by their work, we show that linear A-codes can be con- 
structed from rank distance codes. It turns out that such constructions result in 
linear A-codes that asymptotically meet the bound in the previous session. 

We first review rank distance codes studied by Gabidulin in [8]. Let A = {Ai} 
be a set of m by r matrices over F^. The distance d{A, B) between two matrices 
A and R in A is defined by d{A, B) = rank(A — R) and the minimum distance of 
A , denoted by d{A), is defined as d{A) = min.4,B e a d{A, B). Let d = d{A) and 

A ^ B 

M =\A\. We call A an (m x t,M,d) rank distance code. The following theorem 
establishes the relation between linear A-codes and rank distance codes. 

Theorem 3. If there exists a (m x t, M, d) rank distance code over F^, then 
there exists a [m + t, M, t, d] linear A-code over F^. 

As shown in [11], in an (m x t,M,d) rank distance code, we always have 
d < m — k + 1, where k = log^t M. Codes for which the equality holds are 
called Maximum-Rank-Distance codes (or MRD-codes for short). Johansson [11] 
showed that MRD-codes can be constructed from lineralized polynomials, briefly 
recalled in the following. 

Recall that a polynomial of the form F{z) = > where fi e Fgt 

is called a linearised polynomial over F^t. Let k,m,t be integers satisfying 0 < 
k < m < t. By Pk,m,t, we denote the set of all linearised polynomials of degree 
at most q^~^. Assume that gi,g 2 , ■ ■ ■ ,gm are specified elements of the field F^r 
which are linearly independent over F,. For each F(z) G Pkmt, set cp(^z) = 
{F{g,),F{g2),...,F(gm)f. 

We associate cp(^z) with a,n m x t matrix A{cp(^z)) = (aij), which is obtained 
by writing F^gf) (expressed in a fixed base) as a row vector with entries G F^. 

Lemma 1 ([ 11 ]). {A{cp(^z)) \ F{z) G Pk,m,t\ is an MRD-code. That is, 
{A{cp[z)) I F{z) G Pk,m,t} is an {m x r,q*^,m — fc -I- 1) rank distance code. 

Applying Theorem 3 and Lemma 1, we obtain the following result. 

Corollary 1 . Let k,m,t be integers satisfying 0 < k < m < t and let q be 
a prime. The above construction from linearised polynomials results in a [t -\- 
m, q*^, t,m — k -\- 1] linear A-code. 

Corollary 2. The parameters given in Corollary 1 asymptotically meet the bounds 
in Theorem 2. 

6 Applications 

Linear A-codes have been implicitly used in constructing distributed authenti- 
cation schemes, for example, A^-codes [11], group authentication schemes [7] and 
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one-time fail-stop signatures [16]. With appropriate modification, these construc- 
tions can be generalised to any linear A-codes. In this section we show how linear 
A-codes can be used as a building block for constructing group authentication 
schemes. 

Group authentication schemes, also known as threshold authentication schemes, 
were introduced by Desmedt et al [6] to generalise conventional authentication 
codes. In group authentication schemes there are multiple senders and the gener- 
ation of authenticator requires collaboration of an autheorized subset of senders. 
In a {k,tj threshold authentication schemes, there are £ senders and generation 
of authenticator for a message requires collaboration of at least k senders. A gen- 
eral method of constructing a threshold authentication system is by combining a 
(k,£) secret sharing scheme [15] and an authentication code, by sharing the au- 
thentication key among the n senders. It is known that a direct combination will 
fail to fulfil the security requirement of such systems; and caution must be paid 
to the authentication operation for the generation of authenticator such that 
one can not recover the underlying authentication key even if he/she has seen 
the authenticated message from the autheorized group. To our best knowledge, 
all the previous constructions use Shamir’s secret sharing and some particular 
examples of linear A-codes ([6,7]). We show that this construction method is 
generic in the sense that one can always construct group authentication schemes 
by combining any linear A-codes and a (linear) secret sharing scheme. 

The construction of a (k,£) group authentication scheme proceeds as follows. 
Let {S,S,A,f) be an [n,M,t,d\ linear A-code over Fg. Assume that there are 
n senders Pi, . . . ,Pi and a receiver R. Assume q > £ and X\,X 2 , ■ ■ ■ ,Xi are £ 
distinct elements of (xj is associated to Pi). Let eg, Ci, . . . , e^-i be k random 
values in E. The key of R is cq and the key of Pi is 

t-i 

= ( 2 ) 

i=o 

since £ is an n-dimensional vector space over F^, the right-hand side of equation 
(2) is well defined. Assume that k senders want to authenticate a 

message s G S. Each Pi. computes bi. = 

= f{s,bi^) to the receiver R, where B = {zi, . . .ifc}. The receiver computes 
a = accepts s as authentic if a = /(s, Co). 

The security proof of the above schemes is similar to [7]. Thus, various group 
authentication codes can be obtained through different choices of the underlying 
linear A-codes. In general, we can combine a linear A-code and a linear secret 
sharing scheme to construct a group authentication code. Details will be given 
in the full version of the paper. 

7 Conclusions 

Linear A-codes are an interesting class of authentication codes. We have showed 
that such A-codes can be characterised in terms of families of subspaces of a 
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vector spaces over finite fields. We derived an upper bound on the number of 
source states of these codes and gave constructions that asymptotically meet 
the bound. However, the construction that is closed to the asymptotic bound is 
only when q, the size field, is sufficiently large. An interesting research problem 
is whether the bound in Theorem 2 can be met for general q, and in particular, 
when q is small. 

A linear A-code C = {S, S, A, /) is defined using vector spaces over finite 
fields. It is an interesting question that if we relax the algebraic structure to 
Abelian groups (or modules over rings), can we improve the bound of Theorem 
2 or give other non-trivial constructions? 

We believe linear A-codes can be used in other distributed systems in which 
A-codes play a role and so exploring such applications needs further work. 
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Abstract. Traditional pen and paper transactions are becoming more 
and more replaced by equivalent electronic services. Therefore electronic 
e-mail should also provide enhanced services as those provided by tradi- 
tional mail. In this paper we present new optimistic protocols for certified 
e-mail. The major contribution of our paper is the definition of a new 
property, specific to certified no author-based selective receipt. This prop- 
erty requires that once the identity of the author of the mail is known, 
the receipt can not be refused any more. We present two certihed e-mail 
protocols respecting this property. 



1 Introduction 

Due to the tremendous growth of open network in general and the Internet 
in particular, traditional ’pen and paper’ transactions are becoming more and 
more replaced by equivalent electronic services. Probably the best example to 
illustrate this fact is electronic mail. Millions of e-mails are sent every day over 
the Internet. However the traditional post offers more sophisticated services, such 
as express mail, compensation for lost mail or certified mail. Hence, the electronic 
equivalent should offer similar services. Express mail deals with a fast delivery of 
mails before a fixed deadline. On networks, fast delivery is part of the nature of 
electronic mails and is naturally provided, unless at least one link on each route 
between the sender and the recipient is broken. However, the Internet is designed 
to resist a high number of failures. In a similar way, compensation of lost mails 
is almost never necessary when using an electronic item does not physically exist 
and cannot be lost in the same way as a traditional letter. Although e-mails can 
be mis-routed or lost due to network failures, the loss is insignificant as multiple 
copies of an item can easily be created. If the mail has to be delivered before 
a given deadline, the loss of a message, or a permanent network failure can be 
a problem. In that case, compensation could be an expected property, but this 
paper does not focus on this issue. The third service we mentioned is certified 
mail. This service provides a proof of delivery to the sender. In opposition to 
express mail and compensation for lost items, the electronic version of certified 
delivery is more complicated to provide than the traditional one. When we send 
a traditional certified mail, a person assures the exchange of the mail against a 
receipt. The mail is only handed to the receiver, after he has signed the receipt. 
On the other hand the receiver is sure that once he signed the receipt he will 
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receive the mail, as the postman, holding the mail, stands in front of him. In 
an electronic environment, guaranteeing a certified mail is more complicated. 
Imagine the following scenario where Alice wants to send a mail to Bob: she 
sends an e-mail to Bob who is expected to return a receipt. In this scenario. 
Bob can first read the mail, and then decide whether he wants to admit having 
received it or not. He can choose not to send the receipt although he read the 
mail. If we change the scenario such that Bob sends the receipt before having 
received the message, we face a different problem: Alice could get the receipt 
and claim that Bob received a message he never saw. In order to overcome these 
problems we have to use specialized protocols. 

Before looking at existing certified e-mail protocols, we first discuss some 
related topics: fair exchange [1,2,11] and non-repudiation [8,9,14,16] protocols. 
All of these topics have the same underlying problem: an exchange of secrets 
in which none of the entities gains a significant advantage over the other one. 
In a fair exchange protocol an entity wants to exchange one or several items 
against one or several other items in a fair way, i.e. in a way that at the end 
of the protocol either both got their expected items or none of them got any 
valuable information. A certified e-mail protocol can be seen as an instance of a 
fair exchange protocol. However, in fair exchange protocols the expected item, 
or a description of it, is generally known a priori, before the exchange takes 
place. In a certified e-mail protocol, the message that is sent is not known to 
the receiver. In a non-repudiation protocol, an entity, Alice, sends a message 
to another entity Bob. At the end of the protocol, Alice is expected to have 
a non-repudiation of receipt evidence, i.e. an evidence that Bob received the 
message, and Bob is expected to have a non-repudiation of origin evidence, i.e. 
an evidence that Alice is the author of the message. Those evidences can, in case 
of dispute be presented to a judge. The difference between certified e-mail and 
non-repudiation protocols is not very clear in literature and will be discussed 
later in more detail. 

First solutions to these exchange problem were based on gradual exchange 
protocols [13]. The disadvantages of this approach are the requirement of equiv- 
alent computational power and the network overhead. The second approach is 
a probabilistic one [4,9] . Generally, the probability to cheat the other entity can 
be decreased by increasing the number of messages necessary in the protocol. To 
avoid the communication overhead, a different approach using a trusted third 
party (TTP) has been introduced. Both entities can send their items to the 
TTP that forwards them to the respective entities. However, this may create a 
communication and computation bottleneck at the TTP. To overcome this bot- 
tleneck, independently, Micali and Asokan et al. [1] introduced the optimistic 
approach in the context of fair exchange protocols. The rationale is that the 
TTP only intervenes in case of a problem, i.e. an entity is trying to cheat or a 
communication fails at a crucial moment. In an optimistic protocol, the TTP is 
said to be offline, while it is online in non-optimistic protocols. The optimistic 
approach has received most attention in recent literature. 
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In literature, there have been several papers addressing explicitly certified e- 
mail with either online TTP [7,10,15] or offline TTP [2,3,11]. However, all except 
Zhou et al. in [15] do not make a difference between a certified e-mail protocol 
and a non-repudiation protocol. In [15], Zhou et al. argue that non-repudiation 
of origin is not a required service — in fact, traditional certified mail does not 
provide it — and define a certified e-mail protocol to be a service that must be 
offered by an external delivery agent, in the same way it is realized by the post 
in traditional mail. We do not follow this last point, as the definition of a service 
provided by a protocol should not depend on how it is provided. Moreover, 
Zhou’s approach does not permit to use an optimistic approach, which is, in 
most cases, more efficient. In this paper, we propose an optimistic certified e- 
mail protocol and we introduce an additional property, specific to certified e-mail, 
that has not been discussed previously: author based selective receipt. Generally, 
it is required that once the message is known to the recipient, he cannot prevent 
the protocol from delivering the receipt. It seems to us that this property is not 
sufficient: we believe that once the identity of the author is revealed, the receipt 
has to be delivered to the sender, and of course the message to the recipient. 
In traditional certified mail, one does not get any information about the mail, 
neither the content nor the origin, before having signed the receipt. To better 
understand the crucial importance of that property, consider the following real 
life example. If a person does not pay the rent of his fiat, he can refuse a certified 
mail coming from his landlord. He does not need to read the letter to guess that 
the landlord is claiming the rent and wants a proof for this claim. Knowing the 
identity of the sender would reveal enough information to guess the content of 
the letter. If we suppose that a network address, e.g. an IP address is sufficient to 
identify a person we need to introduce an additional mechanism. We propose to 
use a third party (or several third parties) as an anonymity provider. Hence, our 
protocol is not entirely optimistic. However a third party providing anonymity is 
different from the TTP classically used in this kind of protocols. The third parties 
used for anonymizing communications do not have to generate evidences that 
need to be verified by an adjudicator during a dispute. An anonymity provider 
does not need to have a jurisdiction on evidence generation, as a TTP. Also, 
they do not need to be entirely trusted as they are observable by any exterior 
party, that could detect “strange” behaviors. 

The rest of the paper will be structured as follows. In section 2, we will define 
the properties required by a certified e-mail protocol. In section 3, we present two 
variants of a new certified e-mail protocol: the first protocol does not provide 
data confidentiality, while the second one does. We go on discussing several 
solutions to the anonymity requirements of our protocols and finally conclude. 



2 Properties 



In this section we define all the properties a certified e-mail protocol is required 
to provide. We define them with respect to a sender, that we call Alice and a 
recipient we call Bob. Throughout he rest of this paper we also assume that no 
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party acts against its own interests. This assumption is rather natural and dis- 
cards scenarios, where a dishonest party, i.e. a party not following the protocol, 
could break some of the underneath defined properties by harming itself. 

The first property is non-repudiahility. Two kinds of non-repudiation services 
are required: non-repudiation of receipt and non-repudiation of origin. 

Definition 1 (Non-repudiation of receipt). A certified e-mail protocol pro- 
vides non-repudiation of receipt, if and only if it generates a non-repudiation of 
receipt evidence, destined to Alice, that can he presented to an adjudicator, who 
can unambiguously decide whether Boh received a given message or not. 

Definition 2 (Non-repudiation of origin). A certified e-mail protocol pro- 
vides non-repudiation of origin, if and only if it generates a non-repudiation of 
origin evidence, destined to Bob, that can he presented to an adjudicator, who 
can unambiguously decide whether Alice is the author of a given message or not. 

Non-repudiation of origin is not necessary in a certified e-mail protocol, as it is 
not provided by a classic certified mail service. However, in most papers on certi- 
fied e-mail it is treated as a mandatory property [3,7,10]. Moreover, in optimistic 
protocols a non-repudiation of origin evidence is provided quite naturally, as Bob 
must prove he received a message from Alice, when contacting the TTP. Both 
protocols that we present in the following section will provide non-repudiation 
of origin. 

A second property the protocol must respect is fairness. 

Definition 3 (Fairness). A certified e-mail protocol is fair if and only if at 
the end of a protocol execution either Alice got the non-repudiation of receipt 
evidence, and Bob got the corresponding mail (as well as the non-repudiation of 
origin evidence if required), or none of them got any valuable information. 

Fairness ensures that none of the entities can cheat the other, i.e. arrives in a 
situation where either Alice or Bob has got his expected item, and the other has 
no mean of receiving his item anymore. 

Another important property is timeliness. 

Definition 4 (Timeliness). A certified e-mail protocol provides timeliness if 
and only if all honest parties always have the ability to reach, in a finite amount 
of time, a point in the protocol where they can stop the protocol while preserving 
fairness. 

Timeliness assures that an entity does not need to keep open protocol runs for 
an infinite amount of time. Such a situation could occur if an entity is not sure 
whether the other entity stopped the protocol or not. It must always be possible 
for an entity to quit a protocol, without giving the possibility to the other entity 
to gain any advantage. 

An optional property that can sometimes be required is confidentiality. 

Definition 5 (Data confidentiality). A certified e-mail protocol is said to 
provide data confidentiality, if and only if Alice and Bob are the only entities 
that can extract the content of the sent mail out of the protocol messages. 
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This property ensures that no one can read the content of a sent mail, by for 
instance listening to the communication channels. In pen and paper transactions 
this property should be ensured by the envelope. Moreover, confidentiality is not 
always required. As adding confidentiality harms the efficiency of the protocol 
and is not always requested, we will present two protocols, where the first one 
does not provide confidentiality. It could also be interesting to anonymize Alice’s 
identity from all entities exterior to the protocol and to provide entity confiden- 
tiality. In the remaining of this paper, we only consider data confidentiality. 

The last property we require is no selective receipt. Selective receipt comes 
in two flavors. 

Definition 6 (No message based selective receipt). A certified e-mail pro- 
tocol does not allow message based selective receipt if and only if once the mes- 
sage is known to Bob, he cannot prevent delivery of a receipt to Alice. 

No message based selective receipt is directly implied by the fairness requirement. 
We mention this property, as it has been discussed before in literature. 

Definition 7 (No author based selective receipt). A certified e-mail pro- 
tocol does not allow author based selective receipt if and only if once the identity 
of the author is known to Bob, he cannot prevent delivery of a receipt to Alice. 

No author based selective receipt is a new property introduced in this paper. 
We believe that hiding the content of a mail, while stopping the protocol is 
still possible, is not sufficient. One should also hide the author’s identity. In 
many cases the origin of a message leaks enough information to guess the mail’s 
content^. 

3 The Protocols 

In this section, we present two variants of a new protocol. The first protocol 
does not provide confidentiality, while the second one does. We believe that for 
efficiency reasons it is important that a user can decide to require confidentiality 
or not, as any additional property requires additional signatures or ciphers to be 
computed. We will discuss the security of each of the protocols with respect to 
the different properties. In both protocols, we assume that the communication 
channels between the TTP and respectively Alice and Bob are resilient, i.e. all 
data sent on such a channel arrive correctly after a finite, but unknown amount 
of time, although there may be delays. Channels between Alice and Bob may be 
unreliable, that means that data may accidentally be lost. Each of the protocols 
consists of three sub-protocols: a main protocol, an abort protocol and a recovery 
protocol. The main protocol performs the exchange. Both the abort protocol and 
the recovery protocol are used in case of problems to contact the TTP and either 
cancel the exchange or force a correct termination of the exchange. 

^ Of course, every sent certified e-mail has to provide this property. Otherwise, a 
recipient always rejects anonymous messages. 
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3.1 A Certified E-mail Protocol 

Notations. We use the following notations to describe the protocol. 

— A — > V : transmission from entity X to entity Y 

— X Y : anonymous transmission from entity X to entity Y 

— X <-5- Y : reply from entity Y to entity X on an anonymous channel 

— h{): a collision resistant one-way hash function 

— Efe(): a symmetric encryption function under key k 

— a symmetric decryption function under key k 

— Ex O' a public-key encryption function under A’s public key 

— SxO- the signature function of entity X 

— m: the mail sent from A to B 

— k: a, fresh session key A uses to cipher m 

— c = Ek{m)'. the result of a symmetric ciphering of m under the key k 

— £ = h{m,A,B,k): a label that, in conjunction with the identities (A,B), 
uniquely identifies a protocol run^ 

— /: a flag indicating the purpose of a message 

The protocol generates the following evidences. 

— E00 = SA{fEOO,A,B,TTP,e,h{c),k) 

— EORe = SB{fEOR.,B, TTP,£,h{c),ETTp{fEOO,A,B,e,k,EOO)) 

— EORk = SsifEORk, A, B,£,k) 

— Conk = STTpifconk, A, B,£,k) 

— Abort = S'a (/A bort, 

— Conabort = STTp{fConai„H,£) 

Main Protocol 

1. A^B: fcom,B,TTP,e,c,ETTp{fEOO,A,B,e,k,EOO) 

2. A^B: /eor„^,EOR, 

if A times out then abort 
else 

3. A — >B'. fEoo,A,B,£,k,EOO 

if B times out then recovery[A := B, Y := A] 
else 

YB^A'. /EOR,,A,B,£,EORfc 

if A times out then recovery [A ■= A, Y '■= B] 



The main protocol is composed of four messages. Alice starts by sending a com- 
mitment to the mail to Bob. This commitment consists of a cipher of the mail 

^ Although the label t contains the identities of both Alice and Bob, we have to add 
them to the identification, as the TTP is unable to verify the content of the label 
(the TTP only verifies that the label is coherent with previous messages). 
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m, as well as a cipher c of the key k and the evidence of origin for m, ciphered 
with the TTP’s public key. We also include the identity of the TTP that can be 
contacted in case of problem, as well as a label £ that in conjunction with the 
identities (A,B) uniquely identifies a protocol run. This label is added to each 
protocol message and avoids interference of different protocol runs. Moreover the 
purpose of each message is indicated by a flag. Also note that all the signatures 
in the protocol are on the hash of the cipher c, and not on the cipher itself. 
This fact allows us not to send the entire ciphertext, that can be very large, 
to the TTP in case of a recovery protocol, but only its hash. The first message 
is sent via an anonymous channel, hiding the sender’s identity. Realization of 
such a channel will be discussed in the next section. Bob replies, via the open 
anonymous channel, sending an evidence of receipt for the cipher c. If Alice does 
not receive a valid response before a reasonable amount of time, she launches an 
abort protocol to stop the protocol. Here, a valid response means a response co- 
herent with the previous message, i.e. the label must match the label in message 
1 and the signature has to be correct. Otherwise Alice sends the key k and the 
evidence of origin EOO to Bob. If Bob does not receive a valid third protocol 
message, he executes the recovery protocol. Otherwise he sends an evidence of 
receipt for the key k to Alice. If Alice does not receive a valid evidence of receipt 
for the key, she has to contact the TTP in order to recover the protocol. 



Recovery Protocol 



l,X^TTP: f R,,, B, £, h{c), EOR,, E TTp{f EOO, A, B,£,k, EOO) 

if (aborted or recovered) then stop 

else 

recovered=true 



2. TTP — >A: /Rec^, A, fc, Corifc, EORc 

3. TTP -^B: /Rec^ , A, B, £, k, EOO 



The aim of the recovery protocol is to enable either Alice or Bob to force a 
successful end of the protocol. The recovery protocol can be executed, once the 
protocol has reached a certain state. Bob can recover the protocol once he has 
got the first message from Alice, and Alice can launch it after having received 
the second message of the main protocol, i.e. the first message from Bob. When 
an invalid recovery request arrives, i.e. the signatures do not match the content 
of the cipher for the TTP, the TTP sends a signed message to alert X that the 
request is invalid. Receiving an invalid request token assures to X that Y will 
not be able to perform a valid recovery request and X can stop the protocol. 
Note that an invalid request does not disable the possibility to abort or recover 
the protocol later. When a valid recovery request arrives, the TTP must first 
ensure that this protocol run has not been aborted before. The protocol run is 
identified by the label i and the identities (A,B). The abort protocol and the 
recovery protocol are mutually exclusive. In a first message either Alice or Bob 
sends all information the TTP needs to complete the protocol and to be sure the 
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protocol has been started between Alice and Bob. The first message contains the 
hash of the cipher c, needed for the verification of EOO and EORc, the evidence 
of receipt for the cipher c, as well as the key and the evidence of origin ciphered 
with the TTP’s public key. After having verified the validity of the signatures 
the TTP sends a confirmation of the key k, replacing the evidence of receipt for 
k, and the evidence of receipt for c to Alice. The TTP also sends the key k and 
the evidence of origin to Bob. 



Abort Protocol 

1. A ^ TTP :ATTp(/Abort,A,B,£, Abort) 
if (recovered or aborted) then stop 

else 

aborted=true 

2. TTP :fcon^,„^,e,Conabort 

3. TTP > B Con a(,ort 



The abort protocol can be launched by Alice, if Alice does not receive the second 
message of the main protocol. When Alice aborts the protocol, the TTP first has 
to verify that the protocol has not yet been recovered. Once the abort protocol 
has been engaged, recovery is not possible anymore. The communication between 
Alice and the TTP is ciphered and anonymous, in order to avoid Bob tracing the 
abort request to its originator. To abort the protocol Alice sends a signed abort 
request including the label that identifies the protocol. The request is ciphered 
using the TTP’s public key to hide Alice’s identity from Bob. The TTP sends a 
signed abort confirmation to both Alice and Bob. Once Alice started the abort 
protocol, she must not continue the main protocol anymore, even if the second 
message arrives. If the second message arrives and Alice continues the protocol, 
she does not have the ability to recover the protocol anymore. If Bob does not 
send the last message of the main protocol, Alice will not receive a receipt for 
her mail. Hence, Alice must stop the protocol after having received an abort 
token. 



Properties 

Non-repudiability. The protocol generates a non-repudiation of origin evidence 
(NRO) and a non-repudiation of receipt evidence (NRR). We have that 

- NRO^EOO, 

- NRR=(EOOc,EORfc) or NRR==(E00c, Corifc). 

In case of repudiation of receipt, i.e. Bob denies having received a given mail, 
Alice can prove the receipt by presenting EORc, EOR^ or Cotife, EOO, £, m, c, k, 
as well as the identities of A, B and the TTP to an adjudicator. The adjudicator 
verifies that: 
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- E00 = SaUeoo, A, B,TTPJ,h{c),k) 

- EORe = ^b(/eor.,^, TTP,£,h{c),ETTp{fEOO,A,B,e,k,EOO)) 

- EORfc = SB{fEORk,A,B,i,k) or Couk = S TTp{f Couk, A, B,£,k) 

- £ = h{m, A, B, k) 

- c = Ek{m) 

If all the tests hold, the adjudicator concludes that Bob received the message. 

In a similar way, in case of repudiation of origin, i.e. Alice denies being the 
author of the message. Bob can present EOO, £, m, c, k, as well as the identities of 
A, B and the TTP to an adjudicator to prove the mail’s origin. The adjudicator 
verifies that 

- E00 = SAifEOO, A, B, TTP, £,h{c),k) 

- £ = h{m, A, B, k) 

- c = Ek{m) 

If all the tests hold, the adjudicator concludes that Alice is the author of the 
mail. 

Fairness. We will now show that the proposed protocol is fair: neither Alice nor 
Bob can receive a valuable item without the other one having the possibility 
to also do so. Therefore we will look at the different possible executions of the 
protocol. If the main protocol is entirely executed, it is trivial to see that the 
protocol provides fairness. 

We will look at the possible implications of the abort protocol. The abort 
protocol can only be executed by Alice, as the abort request is signed. Note that 
a protocol is identified by £ and {A,B){^ {B,A)). Hence, this protocol run can 
only be aborted by Alice. Alice has the possibility to execute the abort protocol 
at any moment. However, executing it after having sent the third message of the 
main protocol could harm Alice. We therefore suppose that a honest Alice only 
executes the abort protocol before the third message of the main protocol. That 
means that neither the mail m nor any of the non-repudiation evidences has been 
exchanged. Any recovery request from either Alice or Bob will be refused by the 
TTP. In order not to harm herself, Alice will not continue the main protocol, 
once she executed the abort protocol. There is no possibility, neither for Alice 
nor Bob, to receive any valid item in this protocol run. 

We will continue examining the consequences of a recovery protocol. Mutual 
exclusion of the abort protocol and the recovery protocol is ensured by the TTP. 
We can not have a situation where Alice has stopped the protocol, after having 
aborted it and Bob can recover the protocol by receiving the mail and the non- 
repudiation of origin message. The recovery protocol sends the expected items 
to both Alice and Bob. The only way of breaking fairness would be to send an 
invalid item to one of the entities and not to the other. However sending any 
invalid item will result in invalid evidences. Consider for instance, that Alice 
sends an invalid key in the first message of the main protocol. This key is always 
included in the non-repudiation of receipt evidence and so the evidence will be 
invalid. 
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Now consider the case where an invalid recovery request is sent to the TTP. 
Bob cannot verify the validity of his recovery request and could possibly not 
be able to generate a valid recovery request, as a part of it has been ciphered 
by Alice for the TTP. If the cipher contains incorrect information, the recovery 
cannot be performed and Bob is informed of this by the mean of an incorrect 
request token. However in that case neither Alice nor Bob can perform a recovery, 
as the cipher containing incorrect data has been signed by Bob in EORc and can 
not be replaced by Alice. We conclude that our protocol provides fairness. 

Timeliness. Timeliness is provided by the fact that the communication channels 
between the TTP and both Alice and Bob are resilient. This means that all sent 
messages are received correctly after a finite amount of time. Looking at the 
protocol, we see that Alice at each moment of the protocol can contact the TTP 
to end the protocol: before having sent the third message Alice can abort the 
protocol and thereafter Alice can recover it. Bob can always execute a recovery 
protocol or at least receive an incorrect request token signed by the TTP. Hence 
at any moment in the protocol, both Alice and Bob have the ability to finish the 
protocol in a finite amount of time. In the previous paragraph we showed that 
executing the abort or the recovery protocol results in a fair termination of the 
protocol. Hence our protocol provides timeliness. 

No selective receipt. No message based selective receipt is implied by fairness. 
To show that the protocol respects no author based selective receipt, we look at 
all possible executions of the protocol. After arrival of the first message, as the 
transmission is anonymized, Bob does not know Alice’s identity. At this moment. 
Bob has the possibility to either execute the recovery protocol, stop the protocol 
or continue it by sending the second message. If Bob launches the recovery 
protocol, the protocol ends succesfully, so Alice’s identity may be revealed. If Bob 
stops the protocol after having received the first message, Alice will execute the 
abort protocol. The abort protocol needs to be anonymized to avoid the following 
attack: Bob stops the protocol after having received the first message and waits 
for the TTP to receive an abort request for the protocol. Even if this request is 
ciphered, one could try to trace all incoming requests and recover Alice’s identity. 
Therefore we use anonymous transmissions that can not be traced. All data sent 
to an anonymity provider must also be ciphered for this provider. For instance 
the abort request, is first ciphered for the TTP, and then, additionally, for the 
anonymity provider. Otherwise, Bob can permanently observe several “potential 
Alices”, and compare outgoing messages to the certified e-mails he is receiving 
and to the requests arriving at the TTP. If Bob sends the second message, Alice 
will send message 3 of the main protocol. Once the third message is sent the 
fairness property ensures succesful termination of the protocol. 

3.2 A Confidential Certified E-mail Protocol 

Notations. The notation will be the same as in the previously described pro- 
tocol. The changed evidences generated in the protocol are the following. 
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- EOO = SaUeoo, a, B, TTPJ, h{c),EB{k)) 

- EORe = 5 b(/eor.,5, TTP,^,h{c),ETTp{koo.A,Ba,k,£00)) 

- EORfc = 5's(/EORfe,4l, i?,£, -Es(fc)) 

- Conk = STTpifconk, A, B,£, Esik)) 

The main protocol is very similar to the previous protocol. The difference 
with the first protocol is that the key k is systematically ciphered using Bob’s 
public key. There are two reasons to do so. Firstly, we avoid an additional ci- 
phering operation at the TTP during a recovery request. Secondly, we avoid that 
the TTP could gain knowledge or help some external attacker to gain knowledge 
of the mail. The only change we made to the recovery protocol, is that the first 
message contains the key ciphered with Bob’s public key, and in messages 2 and 
3 the ciphered key is sent instead of the plain key. Neither the TTP, nor an 
external observer, ever gains knowledge of the mail content. The abort protocol 
is identical to the abort protocol in the previous section. 



Properties. Most of the reasonings for the previously discussed properties also 
hold for this protocol, as only minimal changes have been done. When we con- 
tact the adjudicator, we have to send all data on a confidential channel, in order 
for the mail content to stay confidential. When the adjudicator verifies the ev- 
idences, he additionally needs to check that ciphering k with Bob’s public key 
results to Ek{B) signed in the respective evidences. Therefore we must not use 
a probabilistic ciphering algorithm. We need to use a ciphering algorithm, that 
associates exactly one cipher to one plain text. Confidentiality is easily proved. 
The plain mail is never sent over the network. To recover the mail, one has to 
know the cipher c and the key k. However, the key k only intervenes ciphered 
under Bob’s public key. If the ciphering algorithms producing both c and Esik) 
are secure, the only party that can gain knowledge of m is Bob. 

4 Anonymous Transmissions 

In this section we will briefly discuss how anonymous transmissions may be 
realized. Consider first a situation where the network address does not reveal 
someone’s identity. We can be the case of public places offering an Internet access, 
e.g. a cybercafe. In that case no additional mechanisms to provide anonymity 
are required. 

In many cases, the network address can be thought to be equivalent to a 
person’s identity. Then we need more elaborate mechanisms. A simple and com- 
monly used way to provide anonymity on a network consists in special hosts, 
such as anonymizers or re-mailers. These hosts are used as an intermediate to 
directly hide the link between two hosts. Although this solution is very easily 
implemented, it suffers from several drawbacks. It does not resist more elaborate 
attacks, based on traffic analysis. Examples of such attacks are described in [5]. 

If we have to care about a powerful receiver, that can attack simple anonymiz- 
ers, one has to use solutions, such as mixnets, proposed by Chaum in [6]. Mixnets 
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are chains of anonymizers, called mixes that only know the address of the pre- 
ceding and the following host. All sent message blocks have same length and the 
hosts always wait for a lower bound of messages before forwarding them. The 
order of the different incoming messages is mixed, making tracing of messages 
impossible. Moreover, k — 1 out of k mixes may collude, without compromizing 
anonymity. Although mixnets are rather inefficient, they offer secure anonymity 
services. 

However, in our context, mixnets are not suitable, as they do not offer the 
possibility of anonymous replies: in our protocols. Bob has to reply to Alice on 
an anonymous channel without knowing her identity. On simple re-mailers, solu- 
tions based on pseudonyms are available. If we need secure anonymity services, 
resisting traffic analysis we may use the Onion Routing system [12], proposed 
and maintained by the US Naval Research Center. The onion routing system is 
based on an anonymous connection, set up once for the whole transmission, and 
defines a solution to the anonymous reply problem. 

In practice a trade-off between security and efficiency needs to be made. The 
choice of the chosen solution will depend on the importance of the mail. 

5 Conclusion 

In this paper we presented a new protocol for certified e-mail. We discussed the 
properties of certified e-mail and their links to related problems, namely fair 
exchange, contract signing and non-repudiation. We introduced a new property, 
no author based selective receipt, that is specific to certified e-mail. The property 
claims that once the identity of the author of a mail is known, the receipt of 
the mail can not be refused anymore. Then we presented two variants of a new 
protocol: the first one does not provide confidentiality, while the second one does. 
As confidentiality is not always required, and harms the efficiency of the protocol, 
we suggest to leave the choice to the user, whether confidentiality is provided or 
not. Both protocols provide no author-based selective receipt. Finally, we discuss 
some mechanisms to provide anonymous transmissions that are needed in our 
protocols. 
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Abstract. This paper presents watermark insertion algorithm applied 
to spatial domain of an image. It is assumed that a possible forger knows 
the proposed watermarking technique. The retrieval of watermark is 
based on the principles of error correcting codes using secure image key 
and the original image. The scheme could identify a buyer specific signa- 
ture from the image in the form of a unique buyer key assigned to every 
copy of the image being sold. The survival of the watermark is demon- 
strated for a wide range of image transformations and forging attempts 
both in spatial and frequency domains. 

Keywords: Buyer Key, Digital Watermarking, Error Correcting Code, 
Image Key. 



1 Introduction 

With the increased use of digital media and internet technologies, the distribu- 
tion and dissemination of digital multimedia objects become wide spread. One of 
the important issues in this area is the introduction of secure copyright technique 
for multimedia data. In this paper, we present an invisible digital watermarking 
technique for images and show that effective recovery of watermark is possible 
even under a variety of attacks. 

In general the watermark insertion strategy revolves around inserting water- 
marks in the perceptually significant regions of the image [7]. This motivation is 
based on the fact that any attempt to modify the watermark results in visible 
distortion of the image. A number of watermarking techniques exist that intro- 
duce watermarks in the spatial domain [14,4,2], most of which are not robust 
enough in case of intentional attacks in frequency domain. In one of the impor- 
tant frequency domain watermarking, Cox et al have proposed spread spectrum 
based insertion of watermark refining the major DCT components [3]. The in- 
serted watermark is recovered using a statistical similarity measure with the 
original watermark. Similar approach by statistically modeling the DCT coef- 
ficients is reported in [6]. Ruanaidh et al [13] have introduced watermark by 
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modifying the phase of the DFT as it is perceptually more important than the 
magnitudes of the Fourier coefficients. The differential-energy watermarking al- 
gorithm embeds labeled bits by selectively discarding high frequency discrete 
cosine transform (DCT) coefficients in certain selective image regions [8]. An 
information theoretic model for steganography is given in [1] where uncertainty 
about the embedded watermark is resolved using principles of hypothesis testing. 

Our proposed technique of watermarking does not depend on the perceptually 
significant regions of the image rather it is based on the concept of an image key 
and a buyer key. The buyer key ensures a footprint, specific to the buyer of a 
particular multimedia object, while the image key is dependent on the spatial 
organizations of pixels. Therefore, the recovery of watermark in this case not only 
protects the copyright but also authenticates the possible owner in case multiple 
copies of the same image or some modifications of it are sold. This is achieved 
without any additional computational cost to the watermarking process. The 
desirable objectives of the proposed watermarking scheme are as follows. 

1. We consider that the algorithm for watermarking is known to the possible 
attacker. However, the key(s) associated with the process are as usual secure. 

2. We use error correcting codes to generate secure buyer key(s). A random 
partitioning of the image is used as the image key. 

3. In no time the perceptual quality of the image could be compromised. The 
process of watermark insertion is controlled to the extent that the image 
pixels are well within just noticeable distortions. 

4. Every multimedia object has a single image key and multiple buyer keys 
depending on the number of copies sold. So, parameters for key generation 
could be different for an expensive multimedia object compared to a low cost 
one. It is presumed that a high value item is sold less in number compared to 
a low value one. Accordingly, a high value item is secured in greater detail. 

Graver et al [4] have introduced watermark after dividing the image into two 
blocks and then modifying the intensity of the blocks by the same amount but 
in reverse ways. The safeguard to watermark is expected because of the inability 
of the attacker to guess the exact partitioning of the original image. The process 
however fails in case of frequency domain attack and also there is not enough 
randomness to fight a variety of spatial attacks. The image key that we have 
used divides the image into a large number of blocks such that it is impossible 
for the attacker to guess the image partitions. 

The question of copyright protection should ideally take care of both inten- 
tional attack and common transformations on the watermark [12,9]. Ruanaidh 
et al [13] have assessed an exhaustive list of number of possible threats and ex- 
ploitation in case of digital watermarking in images. We demonstrate that our 
present approach is robust enough to survive common image transformations 
like rotation, isotropic scaling, cropping etc., besides intentional attacks in both 
spatial and frequency domains. 

The paper is organized as follows. In Section 2, we present the generation of 
cryptographic parameters viz., the image and the buyer key. In Section 3, the 
proposed watermarking scheme is outlined including the watermark recovery 
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process. The simulation for watermarking and key retrieval results are presented 
in Section 4. This is followed by conclusion. 

2 Generation of Image and Buyer Key 

2.1 The Image Key 

Consider an image /, which can be seen as a matrix of size 2“ x 2**. Let us 
consider that the image is divided into m = 2" subgroups, each containing 
2 a+b-n pjxel locations. Let us denote the subgroups by Gq, Gi, . . . , Gm- 2 , Gm-i- 
Each subgroup Gk is thus a set of 2“+^“” tuples of the form ( row index, column 
index ) . Note that row index i varies from 0 to 2“ — 1 and the column index j 
varies from 0 to 2^ — 1. It is also clear that Gi n G2 = 0 for 0 < fci yf ^2 < w — 1- 
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(a) Matrix for 7® (b) Label matrix (c) Matrix for 7®™ 



Let us explain the scenario with the Example 1. Consider the 2^ x 2^ ma- 
trix in Example 1(a) where a = b = 2. This matrix corresponds to an ex- 
ample image 7®. Each location of the matrix can be referred as {i,j) PE^ir for 
0 < i < 2“ — 1, 0 < j < 2^ — 1. Each location {i,j) contains some value, 
typically between 0 to 255 for an 8-bit intensity image. For example, the lo- 
cation (2,3) contains the value 11. We take m = 2” = 2^ = 4 for example 
and assign Go = {(0, 1), (3, 2), (1, 1), (2, 3)}, Gi = {(1, 2), (3, 0), (2, 1), (1, 3)}, 
G2 = {(1,0), (2,0), (2, 2), (3,1)}, G3 = 1(0,0), (0,2), (0,3), (3, 3)}. Storing this 
kind of groups of the image pixels is easier if we maintain a label matrix 
corresponding to the image 7, which is of the size 2“ x 2^. Each location of this 
matrix contains the value k, 0 < k < m — 1, if the corresponding pixel location 
in the image I belongs to the group Gk- This is shown in Example 1(b). Now 
we provide the following proposition. 

Proposition 1. Consider an image I of size 2“ x 2^. Consider the partition of 
the image I m m = 2” groups Gq, . . . , Gm-i, each containing equal number of 
pixel locations Then the total number of options to select such groups is 

greater than 2"^^ 

Proof. Given the partition of 2" groups, the number of pixels at each group 
is 2“+^“”. Thus the total number of choices to select such groups is equal to 
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Corresponding to an image I, it is now clear that the total number of options 
in choosing the label matrix is prohibitively large. We select a random label 
matrix from this set. We use this random label matrix as the image key K^. Thus 
the size of the image key is 2“+^ locations, each containing an integer value in 
between 0 to 2” — 1. This integer value can be represented using n bits. Thus 
the total size of the image key is n2“+** bits. Given p number of image pixels, 
generation of image key needs 0(p) operation. For an image size 256 x 256, if 
we divide the image in m = 2” = 2® groups, we need 2^® bytes or 64 kbytes. 
The image key will be stored with the owner of the image and there is no need 
to communicate this key. Thus, the amount of space required for storing this 
key is moderate. Each location of the image key can be accessed as K/j for 
0<i<2“-l,0< j<2*'-l. 



2.2 The Buyer Key 

Depending on the number of groups m = 2" in the image, we take a binary vector 
of length 2”. This vector is considered as the buyer key B. Each location of the 
bit vector B can be accessed as Bk for 0 < fc < 2” — 1. Vector B is selected from 
a set of binary error correcting codes C. The set contains M distinct code words 
such that Hamming distance [10] between any two code words is at least d. For 
experimentation, we use the set of 2" length code words containing M = 2"“*'^ 
distinct codes with minimum distance 2"“^ [10]. The motivation of selecting 
buyer keys from a set of error correcting codes will be clear in the following 
section where watermark insertion and retrieval issues are discussed. 

The actual buyer key used is not directly derived from the error correcting 
codes that we will use. Rather it is a random permutation tt{B) of the code 
word B. Note that this permutation 7r(.) is selected randomly but it is specific 
for an image. So this can be considered as a part of the image key. This provides 
additional robustness given that a possible forger may know the error correcting 
codes but not the image specific permutation. Given a moderate value of the 
code length m, such possible permutations are ml, which is prohibitively large. 
In subsequent discussions, this transformation is not incorporated due to brevity 
of space. Also it has no additional influence on the watermarking and retrieval 
algorithms described next. 



3 Watermarking Scheme 

The overall approach of the proposed scheme is presented in Figure 1. In the 
watermarking module, the original image is spatially divided into a number of 
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blocks based on image key. Image intensity of each block is then modulated 
depending on the bit values of the buyer key. This process generates the water- 
marked image. In the retrieval process, the original and the watermarked (may 
be forged) images are compared block by block. The block information is ob- 
tained from the image key. Depending on the extent of intensity modification in 
each block a probable buyer key is generated. This key is then mapped to exact 
buyer key by correcting the errors using the theory of error correcting codes [10]. 




Fig. 1. The watermarking and the watermark retrieval process. 



3.1 Insertion of Watermark 

The process of generating watermarked image from the original image / is 
described next. 

Algorithm 1 

1. For 0 < t < 2“ - 1, 0 < j < 2*- - 1 

(a) Let lij is the pixel value of the image I at the pixel location {i,j). 

(b) Let {i,j) belongs to the group Gk, i.e., L( j = k. 

(c) If Bk = 0, ir;j = lij, else if Bk = 1, /“■ = hj + 

Now we denote the sum = Y.{ij)eGk = ^k- We will show 

that this Sk value plays an important role in this digital watermarking technique. 
We consider that Pij’s are either all positive or all negative corresponding to 
a group Gk- Thus the values of Sk may be either positive or negative. Also it 
is important to decide the values of /3ij such that the quality of the image is 
not degraded. We follow the principles of Weber ratio (WR) [5, Pages 16-18] in 
selecting the values of Pij. To maintain perceptual clarity, WR = jJj™ — 
Ii,j\/ j Ii,j is taken as less or equal to 2%. Let us discuss the situation in 
terms of the example image R. From J® we can construct the watermarked 
image I®™ with !3ij = 1, or fii^j = —1, for 0 < f < 3, 0 < j < 3 and the buyer 
key R® = 1010. This is shown in Example 1(c). For Gq we take = 1 and for 
G 2 , we take fSij = —1. In this case 5q = 4,^2 = —4 and <5i = ^3 = 0. Hence, 
given the image I , image key and the unaltered watermarked image one 
can find the buyer key B as follows. 
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Algorithm 2 

1. For 0 < fc < 2" — 1, initialize values ak = 0, bit values qk = 0. 

2. For 0 < i < 2“ - 1, 0 < j < 2*- - 1 

If {i,j) belongs to the group Gk, (Jk = (Jk + ~ h,j- 

3. For 0 < fc < 2” - 1 

(a) if (7k and 5k are equal with the value 0, qk = 0. 

(b) if ak and 5k are equal with nonzero value, gj, = 1. 

4. Report q as the buyer key B. 

Thus if Bob buys an watermarked image 7™ from the owner Alice and then 
resells I™ to Oscar, then from (no matter whether Alice gets it from Bob or 
Oscar), Alice can easily find out the buyer key and identifies Bob. However, the 
real situation is little more complicated. Bob can very well make some inten- 
sional processing over the image so that the scheme get disturbed and in such a 
situation Alice can not identify the buyer key as given in the above algorithm. 
This is discussed next. Again, for p pixels, the retrieval of buyer key is executed 
in 0{p) time. 



3.2 Identifying Buyer Key from Attacked Watermarked Image 

In this subsection we give the idea how we can find out the buyer key successfully 
from the attacked watermarked image 7“'^. Let us first describe the algorithm. 

Algorithm 3 

1. For 0 < fc < 2" — 1, initialize values ak = 0, bit values qk = 0. 

2. For 0 < t < 2“ - 1, 0 < j < 2*- - 1 

If \irf - h,j\ > I A., I then If* = hj + 

3. For 0 < t < 2“ - I, 0 < j < 2*- - 1 

If {i,j) belongs to the group Gk, ak = ak + I^f - hj- 

4. For 0 < fc < 2" — 1 

(a) if \ak\ < Ck\5k\, qk = 0. 

(b) else if |crfc| > Cfe|4|, qk = 1- 

5. Find out the codeword q' closest to q and report q' as B. 

3.3 Analysis of the Watermark Retrieval Process 

Given a wide range of image transformations and intentional attacks on water- 
mark, exact determination of Ck is not possible. Instead, we would be using a 
range of values for Ck- We call this as tolerance factor. In simulation, we present 
our retrieval results as the number of bit wise matches between B and q' against 
a range of values for Ck ■ Our experimentation shows that it is always possible to 
find out the buyer keys properly with some tuning of this method. We like to 
elaborate a few issues in this regard. 

The method works over some disjoint subsets of the image. Given the enor- 
mous number of options to select one such image key (see Proposition 1), it is 
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clear that guessing the image key is almost impossible. Also, while watermark- 
ing, the intensity values may be increased or decreased for an individual group. 
Thus if the attacker tries to change some pixel values in the same way and at the 
same time tries to regroup the pixels, the effect will be nullified over the whole 
region corresponding to a subgroup Gk- 

Given the watermarking scheme and the Pij values, the difference between 
lij and /“t is known. Thus, if we receive an attacked watermarked image 
then we can prune the image as follows. If \I^f — Ii,j\ is greater than \Pij\, then 
it is clear that this can not be a true value in the watermarked object. Thus, in 
this situation the value of should be replaced by lij + f3ij before further 
processing. 

Once again recapitulate that E(*j)eG*, “ kj) = J2{t,j)eGk 
After the pruning, K* ~ kj\ < 'Ei^,j)eG^ “ hj\ and thus 0 < 



\^k\ = i)eGfc ~ ^i,j\ — tiiis point the decision problem is should 

we interpret the value of as 0 or as 5^. If we interpret as 0, then is 0, 
else we interpret as 1. The value of the tolerance factor plays an important 
role in this respect. 

It is most natural that we should consider = 0, if |cTfc| < 0.5|<5fc| and 
qk = 1, if |cTfc| > 0.5|i5fc|. However, depending on different kinds of attack it is 
not always possible to fix Ck = 0.5. It is important to tune the value of Ck in 
between 0 to 1 to decide the proper decision boundary for choosing the value 
of qk- Also the values of Ck may differ for different k. Thus we should write the 
relation as gj, = 0, if |cTfc| < Ck\5k\ and qk = 1, if \(Jk\ > Ck\5k\- 

It may very well happen that the attacked image is such that there are 
some errors in deciding the bits of q. We already know that the buyer key B 
is chosen from a set of error correcting codes. If q itself is a codeword, then 
we choose q' = q. Else we will try to find out a codeword q' closest to q. We 
then decide the buyer key B as q' . Since the minimum distance between the 
codewords is d, even if there are — 1 errors in selecting q (i.e., the Hamming 
distance between q and B is at most — 1), at the time of finding the closest 
codeword q' these errors can be corrected [10]. Thus we will get the proper buyer 
key B = q' . On the other hand, if the number of errors is more than |"|] — 1, 
then a wrong buyer key will be estimated and the scheme will fail. Given the 
scheme, it is intuitively clear that the probability of errors in properly estimating 
the regional sum 5k from Uk is very low, as without knowing the image key (the 
division of groups) it is almost impossible to change the bias in the region. 
Moreover, for an erroneous detection of buyer key, such judgements need to be 
wrong for more than |"|] — 1 regions, which further reduces the error probability. 
It seems extremely complicated to provide a closed form mathematical expression 
in calculating the probability of error. To justify our claim, with experimental 
results we will show that the possibility of wrong estimation is negligible. In fact 
in all the experiments we could detect the buyer key properly. 

For expensive items, it is natural that we need to provide additional security. 
Also, it is expected that less number of copies will be sold. This means we need 
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comparatively less number of code words. This helps in selecting a larger value 
for d and in turn ensures better performance while retrieving watermarks. 

In the next section, we simulate the insertion and retrieval of watermark in 
two dimensional images and show the robustness of the methodology under a 
variety of image transformations and forging attacks. 

4 Simulation 

We have used Reed Muller codes [10] to generate 2” length buyer keys with 
minimum distance between any two keys being 2”“^. There are 2”+^ such codes. 
For experimentation, we have taken n = 7. This makes the length of the key 
128 bits and can provide maximum 256 number of distinct code words. Bit wise 
matching value of 128 gives the exact match for the buyer key. The scheme can 
correct a maximum of 31 bit errors and bit wise matching in at least 97 (= 
128-31) positions ensure complete decoding of the buyer key. 

In the experiments, watermark is added in the spatial domain and its ro- 
bustness is tested against a set of possible image transformations and simulated 
attacks. In this paper, we present the results from an 128 x 128 digitized image. 
The image is divided into 128 different image blocks. The results are presented 
in the form of graphs where bit wise matching values are plotted against the 
tolerance factor described in Section 3. Throughout the experiments, we have 
used all the (3ij values equal to /3 = 1, as it is the minimal level of intensity 
modification of the pixels in spatial domain. Naturally, this is the most favor- 
able situation for the attacker and consequently the retrieval process is most 
challenging. In the subsequent discussions, we show that our method survives 
satisfactorily in retrieving the buyer key. 

To evaluate the performance of our scheme, a wide range of simulations has 
been carried out and retrieval process is successful in all the cases. We present 
here a representative set of results that highlight the contribution of our method. 
We have implemented the algorithms in MATLAB on an Intel PHI 800 MHz 
computer. For 128 bit buyer keys applied on 128 x 128 digitized image, the 
watermarking process is almost instantaneous while the buyer key retrieval takes 
approximately 0.3 to 0.7 seconds depending on the range of tolerance factor used. 



4.1 Performance with Respect to Common Image Transformations 

The different image transformations tested are as follows, (a) Scaling : In this 
case both expansion and reduction of image size are considered, (b) Rotation : 
We rotate the image at certain angle, (c) Cropping : In this case we have set the 
constraint that cropping area can be no higher than 40% of the original size, (d) 
Combined transformation : A combination of (a), (b) and (c). 

In case of scaling and rotation, the watermarked image is reverted back to the 
original size and orientation for testing of retrieval of watermark. The cropped 
image is reverted back to original dimension by adding the missing part of the 
cropped image from the original image. The original fruit image of size 128 x 128 
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and its watermarked version are shown in Figure 2(a) and 2(b) respectively. Note 
that there is no perceptual difference between the original and the watermarked 
version of the image. For simulation, the watermarked image is separately sub- 
jected to 127% expansion, 79% reduction and a rotation of 13°. The cropped 
image for testing watermark retrieval is shown in Figure 2(c). In case of com- 
bined transformation, the sequence of transformations includes 83% reduction 
followed by 13° rotation and cropping maintaining 80% of the watermarked im- 
age. The resultant image is shown in Figure 2(d). The buyer key retrieval result 
is shown in Figure 3(a). Table 1 presents image transformation type (column 
1) and parameters (column 2), the Weber ratio value (column 3), and tolerance 
factor (cfc) range (column 4) for bit wise matching value > 97. Note that for 
the image in Figure 2(d), we could successfully recover the buyer key even if the 
quality degrades beyond perceptually acceptable limit after the transformations. 
Note that as an estimate of degradation of the images after the attack we provide 
the Weber Ratio WR = \Iff ^ the tables. See Figure 3(a) 

for the graphical representation. In graphical representations we plot the range 
of Cfc in the horizontal axis. For the watermarking scheme we select a buyer key 
B and insert that in the image. Using the recovery scheme we get back a key q. 
In the graph we plot at vertical axis in how many places B and q are matching 
corresponding to a specific value of Cfc. Note that in the experiments we vary Cfc 
for the complete range 0 to 1 and also for all the values of k we choose the same 
Cfc value. If we get the bit matching value between B and q in at least 97 places, 
we can recover the key exactly [10]. 




Fig. 2. Original, watermarked and attacked images, (a), (b), (c), (d) from left to right. 
Table 1. Experimental results for common image transformations. 



Transformation type 


Transformation parameters 


Weber ratio 


Range of Ck 


Expansion 


1.27X 


0.008 


0 to 1 


Reduction 


0.79X 


0.087 


0 to 0.87 


Rotation 


13° 


0.173 


0.35 to 0.63 


Cropping 


73% of original area 


0.191 


0 to 0.5 


Combined 


0.83x, 13° rotation, 
80% of original area 


0.442 


0.17 to 0.28 
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Fig. 3. Retrieval Graphs, (a), (b), (c), (d) from top left to bottom right. 



4.2 Performance against Spatial Domain Attack 

Attempt in destruction of the watermark in the spatial domain is the most 
common type of attack in digital watermarking. We have simulated three such 
conditions and the performance of our proposed scheme against such attacks 
is shown in Figure 3(b). In the first case, rewatermarking is done on the wa- 
termarked image. The parameters for the process are exactly identical as the 
original watermarking except that different image and buyer keys are used for 
rewatermarking. This is in line with our assumption that the attacker is aware 
of the watermarking algorithm. The next test is to corrupt the intensity values 
of the watermarked image by either increasing or decreasing it by at most 2 
based on random decision. Finally, random attack is implemented on the water- 
marked image already subjected to combined image transformations of scaling, 
rotation and cropping. In all these three cases, proposed watermarking scheme 
is successful. Numerical results are as follows. See Figure 3(b) for the graphical 
representation. 
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Table 2. Experimental results for spatial domain attacks. 



Transformation type 


Transformation parameters 


Weber ratio 


Range of Ck 


Rewatermarking 




0.02 


0.2 to 1 


Random 




0.079 


0.1 to 0.9 


Combined and 
random 


0.83x, 13° rotation, 
80% of original area 


0.541 


0.3 to 0.4 



Table 3. Experimental results for frequency domain attacks. 



Transformation type 


Weber ratio 


Range of Ck 


Rewatermarking 


0.039 


0.5 to 1 


Random 


0.102 


0.97 to 1 



4.3 Performance against Frequency Domain Attack 

The simulation of forging attempt is further extended to frequency domain. The 
watermarked image is transformed to frequency domain using FFT. The FFT 
domain image including the imaginary part is subjected to following attacks. 
First we insert a separate watermark in the frequency space following water- 
marking principles explained in Algorithm 1. With the knowledge of the water- 
marking process, this could be a valid attack with the intention that the spatial 
watermark is going to be distorted. The (3ij values selected for this purpose is 
taken as 5% of the original value. The second case is similar to random attack 
in spatial domain except that in this case amplitude values in frequency space 
are randomly manipulated. The amplitude is changed to a maximum of ±10% 
of the original value. 

After these attacks, inverse FFT is applied and the image is passed through 
retrieval process. In both the cases successful retrieval of buyer key is possible. 
The corresponding watermarking parameters are shown in Table 3. See Fig- 
ure 3(c) for the graphical representation. 



4.4 Authentication of Buyer Key 

We once again refer to the step 5 of Algorithm 3. In this step, we find the correct 
code word q' closest to q. Our hypothesis is that the selection of a wrong buyer 
key is improbable for the complete range of tolerance factor. We substantiate 
this with the following experiment. We use the buyer key B to watermark the 
image and then perform the random attack in spatial domain as in Table 2. We 
get back the key q using our retrieval algorithm. We also select four other buyer 
keys i?i, i? 2 , (from the same error correcting code) which are different 

from B. Figure 3(d) shows that varying the tolerance factor c^, the original code 
word B provides the highest bit wise matching with the retrieved bit pattern q. 
For the rest of the code words, bit wise matching between Bi {i = 1, 2, 3,4) and 
q do not ever reach the threshold 97 necessary for buyer key authentication. 
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4.5 Collusion Attack 

Note that if we use same value of for all buyer keys, then using more than 
one images, it is possible to guess the true value of the image pixels by comparing 
watermarked images. Our motivation in this direction is that the collusion attack 
should not succeed in getting the original image. For this we propose different 
sets of (3ij values for different users. Corresponding to the image /, for each pixel 
value lij, we define a range of values /i“^ < (3ij < < 0, nfj > 0) such 

that Iij + /3ij does not make any perceptual change for the complete range. Now 
for a specific user u, we choose from this range of Pij values. We modify 
the step 1(c) of Algorithm 1 as follows. Corresponding to the buyer key B, if 
the bit value Bk = 0, then for the group Gk we use = lij — otherwise 
for Bfc = 1, we take = lij + Thus it is not possible for the collusion 
attackers to decide on the exact value of each pixel. In such a case the pruning 
step 2 of Algorithm 3 needs to be modified also. The choice of Pij values in this 
case will identify different buyers and it is of interest to explore whether this 
helps in identifying one or more of the attackers who participate in collusion 
attack. 

5 Conclusion 

We have proposed a novel watermarking technique that survived attacks both in 
frequency and spatial domains. The watermark retrieval is based on the secure 
image key and the original image. Since the retrieval is basically the identification 
of the buyer key, the trail of forging could be identified through the buyer key. 
The proposed technique is computationally attractive and has the potential for 
improvement which we are working on. We are extending this for multimedia 
objects incorporating watermarking in spatial, frequency and wavelet domains. 
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Abstract. In public auction, all bid values are published, but each bid- 
der participates in auction protocol in anonymous way. Recently, Omote 
and Miyaji [OMOl] proposed a new model of public auction in which 
any bidder can participate in plural rounds of auction with one-time 
registration. They have introduced two managers, registration manager 
(RM) and auction manager (AM), and have used efficient tools such as 
bulletin board and signature of knowledge [CS97].In this scheme, even if 
a bidder is identified as a winner in a round, he can participate in next 
rounds of auction maintaining anonymity for RM, AM, and any bidder. 
But a problem of this protocol is that the identity of winner cannot be 
published. In the winner announcement stage, RM informs the vendor of 
winner’s identity secretly. Therefore RM’s final role cannot be verified, 
and AM and any participating bidder can not be sure of the validity of 
auction. 

In this paper, we propose a new public auction scheme which can solve 
this problem. In the proposed scheme, both RM and AM execute ran- 
domization operation in round setup process which makes the publica- 
tion of winner’s identity be possible while keeping anonymity of winner 
in next rounds of auction. Moreover, AM provides ticket identifier based 
on Diffie-Hellman key agreement which is recognized only by the bidder. 
Our scheme provides real anonymity in plural rounds of auction with 
one-time registration in a verifiable way. 

Keywords: public auction, English auction, anonymity, one-time regis- 
tration, public verifiability, hash chain, signature of knowledge, anony- 
mous signature scheme 



1 Introduction 

Electronic auction is an attractive form of electronic commerce and recently 
many kind of auction services are provided over the Internet. Electronic auction 
can be classified into sealed-bid auction and public auction according to the way 
it runs. 

In sealed-bid auction [FR96,SKMOO,SakoOO,OMOO,SMOO], each bidder se- 
cretly submits a bid only once in bidding stage. In opening stage, a bidder 
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who has offered the highest price is announced as a winner. In this type of auc- 
tion, bid secrecy is of prime concern. Possible problems of sealed-bid auction 
are that the competition principle does not work well and a winning bid may 
be much higher than market price. In public auction [OM01,NT00,SS99], also 
called English auction, all the bid values are published, but each bidder par- 
ticipates in auction protocol in anonymous way. Each bidder offers higher price 
one by one and can bid multiple times in a round of auction. Finally, a bidder 
who has offered the highest price becomes a winner. In this case anonymity of 
bidder is of prime concern. Traditionally, sealed-bid auction and public auction 
are two different ways of running auction, and one is preferred than the other 
according to applications. Recently, many online auction services are provided 
on the Internet and most of them are public auction. In this paper we consider 
how to improve public auction. 

Requirements of public auction can be listed as follows [OMOl]. 

1. Anonymity: Nobody can identify a bidder from a bid. 

2. Traceability: A winner who has submitted the winning bid can be traced. 

3. No framing: Nobody can impersonate a certain bidder. 

4. Unforgeability: Nobody can forge a bid with a valid signature. 

5. Non-repudiation: The winner cannot repudiate the fact that he has bidded 
the winning bid. 

6. Fairness: All bids should be dealt with in a fair way. 

7. Public verifiability: Anybody can verify the validity of a bidder, the validity 
of a bid, and the correctness of winner announcement. 

8. Unlinkability (among different rounds of auction): Nobody can link the same 
bidder’s bids among different rounds of auction. 

9. Linkability (in a round of auction): Anybody can link which bids are placed 
by the same bidder and knows how many times a bidder places a bid in a 
round of auction. 

10. Efficiency of bidding: The computation and communication amount in both 
bidding and verifying should be practical. 

11. One-time registration: Bidder can participate in plural rounds of auction 
anonymously with one-time registration. 

12. Easy revocation: RM can revoke certain bidder easily. 

Note that we have added the public verifiability and non-repudiation compared 
with [OMOl]. 

[NTOO] proposed a public auction protocol which keeps bidder privacy using 
group signature scheme. They used the useful property of group signature that a 
member of a group can sign anonymously on behalf of the group, and the group 
manager can identify the signer later. But the public auction based on group 
signature requires complicated signature generation and verification procedure. 
Moreover the group signature does not satisfy the anonymity for group manager 
(GM) at all since GM has special power to identify bidders. Revocation of a 
bidder is also difficult in group signature. 

Recently, [OMOl] proposed an efficient model of public auction. In their 
scheme, two managers, registration manager (RM) and auction manager (AM), 
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are introduced to provide the anonymity of bidder. As an anonymous signature 
scheme, they used the signature of knowledge [CS97] with an anonymous chal- 
lenge. They made the overall protocol very simple and efficient by using bulletin 
board as a public communication channel. But a problem of this protocol is that 
the identity of winner cannot be published. In the winner announcement stage, 
RM secretly informs the vendor of the winner’s identity. Therefore AM and all 
participating bidders cannot be sure whether RM has executed his role correctly 
and winner was decided, i.e., the winner announcement is not publicly verifiable. 
If winner’s identity is published (exposed to AM), the anonymity of winner for 
AM is not satisfied in future rounds of auction because AM uses the same public 
key in future rounds of auction. 

To solve this problem, we propose a new public auction protocol. In our 
protocol, both RM and AM execute randomization operation in round setup 
process to prepare auction ticket, so RM or AM alone cannot identify bidders. 
Moreover winner’s identity can be published in the winner announcement stage 
while keeping the anonymity of winner in future rounds of auction. Therefore, 
plural rounds of auction with one-time registration is possible in a verifiable 
way. Moreover, AM provides ticket identifier using Diffie-Hellman key agreement 
which is recognized only by the bidder. 

This paper is organized as follows. First, [OMOl] scheme is describe briefly 
and its problem is discussed in Section 2. Next, cryptographic primitives such 
as signature of knowledge, hash chain, and Diffie-Hellman key agreement are 
described in Section 3. Then, the proposed public auction protocol is described 
in detail in Section 4 and various features of the proposed protocol are discussed 
in Section 5. Finally, we conclude in Section 6. 



2 Omote and Miyaji’s Scheme 

The public auction scheme proposed by Omote and Miyaji [OMOl] is an efficient 
model of public auction in which bidders can participate in plural rounds of 
auction with one-time registration. In this scheme, two kind of managers are 
introduced. Registration manager (RM) secretly knows the correspondence of 
bidder’s identity and bidder’s registration key, and works as an identity escrow 
agency. Auction manager (AM) hosts the auction and prepares auction tickets 
in each round. 

Consider a discrete logarithm based cryptosystem. Let p and q be two large 
primes satisfying q\p — 1 and g be a generator of multiplicative group Z* with 
order q. AM has private key xa and public key yA = The i-th bidder 
has private key Xi and public key pi = 

2.1 Procedure 

Bidder registration: A bidder Bi registers his public key pi to RM as follows. 
He chooses a random number ti and sends {yi,U) with a proof that he knows 
the private key Xi (discrete logarithm of pt to the base g). When RM accepts 
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the proof, he publishes (yi,ti) on his bulletin board and keeps bidder’s identity 
Bi secretly in his secure database. 

AM’s round setup: Assume that AM holds the /c-th round of auction. She 
gets {yi,ti) of every participating bidders Bi from RM’s bulletin board. She 
computes shared secret keys y^^ for every bidders Bi by using Diffie-Hellman 
key agreement technique. She generates random numbers for every bidders 
and keeps them secretly. She computes the following auction keys Ti for Bi 

T, = {Enc\yr,ti),yl\g^^) 

where Enc^{y^^ ,ti) = Enc{y^^ ,Enc^~^{y^^ ,ti)) is the fc-time encryption of ti 
using a shared key y^'^ . She publishes the auction keys Ti of all bidders on her 
bulletin board in a shuffled way. 

Bidding: Bidder Bi who wants to participate in the /c-th round of auction can 
easily find his auction key Ti from AM’s bulletin board because he can compute 
Enc^{y^^ ,ti) in advance by using y^ = y^^. When he places a bid, he sends 
the following bid information (wi, yp , 5 '’’% V 2 ) to AM. 

— a bid rrii {rrii = auction ID || bid value) 

— yl* and g’’* published by AM 

— V 2 = SK[a : yl' = 

Here V 2 is a signature of knowledge [CS97] on message rm and implies that Bi 
knows the value a = Xi. 

Winner decision and announcement: Assume that rrij be a winning bid. 
AM proves to RM that the public information added to a winning bid mj 
corresponds to the public key yj by sending r~^. Then, RM informs a vendor of 
winner’s identity secretly after the winner decision procedure. 



2.2 Problem of this Scheme 

This scheme is a very efficient public auction in the sense that the bidding and 
verifying procedures are very simple and each bidder can participate in plural 
rounds of auction with one-time registration. But a problem of this scheme is 
that the winner announcement stage is not publicly verifiable. AM’s proof to RM 
(sending r~^) and RM’s secret identification of the winner to a vendor are not 
published at all. This kind of secret proof is not a good way in public auction over 
a distributed network like the Internet. In the winner announcement stage, every 
bidders can just recognize what the highest bid value is, but they cannot verify 
whether two managers have executed their job correctly and who the winner is. 
They just have to trust the honesty of two managers. In AM’s point of view, 
she sends rj^ to RM, but cannot verify whether RM gives proper identification 
of winner to the vendor. Therefore this kind of auction protocol that cannot 
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be verified publicly cannot be used in real application and it does not have the 
one-time registration property. 

The reason that winner’s identity cannot be published is that anonymity of 
winner for AM is not provided in future rounds of auction. Since AM uses the 
same key material yi for every rounds of auction, she can identify the winner 
easily in future rounds of auction. So fairness and unlinkability are not provided. 

In this paper we propose a new public auction protocol which can solve this 
problem. The basic idea is that RM executes an additional randomization oper- 
ation in round setup procedure such that the winner’s identity can be published 
in the winner announcement stage and the winner anonymity for AM is kept in 
future rounds of auction. 

3 Cryptographic Primitives 

3.1 Signature of Knowledge 

We use the signature of knowledge (SK) of discrete logarithm introduced by 
Camenisch and Stadler [CS97] as an anonymous signature scheme. Let x be 
a private key of a signer and y = he the corresponding public key. A pair 
(c, s) G {0, 1}* X satisfying c = /i(m| | j/| | (/| where I is a security parameter 

of hash function, is a signature of knowledge of the discrete logarithm of the 
element y € Zp to the base g on the message m. Such a signature of knowledge 
can be computed if the private key x = log^y is known, by choosing a random 
number k € Zq and computing 

c = and s = k — cx mod q. 

? 

It is verified by checking c = h{m\\y\\g\\g^y‘^). We denote this signature of knowl- 
edge as 

V = SK[x : y = g^]{m). 

SK represents both the proof of knowledge of the private key x and a signature 
on message m. 

This scheme can be used as an anonymous signature scheme if {y'',g'~) are 
challenged for a secret random number r G Zq instead of (y,g). The signer 
computes (c, s) satisfying c = h{m\\y^\\g^\\{g'^)^{y^)'^) for challenged (y^,g^). 
We denote this signature as 

V = SK[x : y^ = {gT]{m). 



3.2 Hash Chain 

Assume that a bidder Bi and RM are sharing secret bidder information ti. In 
each round k, they compute a special hash chain 
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which can be computed only by the bidder Bi and RM who know ti. If h{) 
is a collision-resistant cryptographic hash function, computing h^{ti) without 
knowing ti is infeasible even though all h^(ti) for j < k are known. 

This is a kind of secure channel between Bi and RM. Using this primitive, 
a bidder can easily identify his round key generated by RM while keeping the 
anonymity of the round key against any other party including AM. 

3.3 DifRe-Hellman Key Agreement 

Assume that a bidder Bi has a key pair (xi, yi) and AM has a key pair (xa, Va)- 
Bi and AM can share a secret key Ki = = y^ using Diffie-Hellman key 

agreement technique. Using the shared secret key Ki, bidder Bi can easily iden- 
tify his auction ticket generated by AM, while AM does not know which is BiS 
auction ticket. 

4 Proposed Public Auction Scheme 

In this Section, we describe the proposed public auction scheme which is a modi- 
fication of [OMOl] such that RM executes an additional randomization operation 
in round setup procedure and winner’s identity is published on bulletin board. 

4.1 System Set-Up 

The entities of our scheme consists of the registration manager (RM) , the auction 
manager (AM), and n bidders Bi {i = l,...,n). The role of each entity is as 
follows: 

RM 

— He is in charge of the one-time registration process and has secret data- 
base to keep secret user information. 

~ He participates in round key setup process to publish round keys in 
shuffled way on his bulletin board. 

— He publishes winner specific information on his bulletin board in the 
winner announcement stage. 

AM 

— She prepares auction tickets in each round of auction using a random 
number and round keys. She publishes them on her bulletin board in a 
shuffled way. She has secret database to keep random numbers. 

— She publishes winner specific information on her bulletin board in the 
winner announcement stage. 

— She has private key xa and public key yA = ■ 

Bidder (Bi where i = 1, ...,n) 

— Bidder has to register to RM to participate in auction. 

— He participates in a round of auction using his auction ticket. 

— He has private key Xi and public key yi = . 




168 



B. Lee, K. Kim, and J. Ma 



In [OMOl], winner’s identity is secretly informed to the vendor by RM, therefore 
vendor is an important entity. But in our scheme the vendor of auction does 
not have any role because winner’s identity is published on bulletin board. In 
this setting we assume that RM and AM do not collude each other to open the 
anonymity of bidder. If they collude, they can identify any bidder. 

In our scheme, five bulletin boards are used, i.e., bulletin boards for regis- 
tration, round key, auction ticket, bidding, and winner announcement. Bulletin 
board is a kind of public communication channel which can be read by anybody, 
but can be written only by legitimate party in an authentic way. All communica- 
tions are executed publicly via bulletin boards except the one-time registration 
message of bidder to RM. The registration and round key boards are written 
only by RM and the auction ticket board is written only by AM. The information 
posted on each bulletin board is as follows. 

Registration board (written by RM) 

— RM publishes the identities and public keys of registered bidders. 

Round key board (written by RM) 

— RM computes round keys for every registered bidders and publishes them 
in a shuffled way. 

Auction ticket board (written by AM) 

— AM computes auction tickets for every valid bidders listed in round key 
board of RM and publishes them in a shuffled way. 

Bidding board (written by bidder) 

— Each bidder posts his bidding information on this board. Only higher 
bid than the previous highest one can be posted. Posting of a bid cannot 
be prevented by anybody. 

Winner announcement board (written by AM and RM) 

— In the winner announcement stage, AM publishes the winner dependent 
secret random number. 

— In the winner announcement stage, RM publishes the winner dependent 
secret information. 

To identify a winner in the winner announcement stage, RM and AM should 
keep bidder dependent secret information. Therefore, the following two secret 
databases are used. 

User information DB (managed by RM) 

— RM maintains secret user information for registered bidders. 

Random number DB (managed by AM) 

— AM maintains secret random numbers used to generate auction tickets 
in each round of auction. 

4.2 Public Auction Protocol 

The proposed public auction protocol consists of the following 5 stages. Regis- 
tration of bidder is only one-time in the auction protocol, but other 4 stages 
are executed in each round of auction. We depict the overall auction protocol in 
Figure 1. 
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Stage Bidder S/ RM AM 




1 



Fig. 1. Public auction protocol 



Stage 1. One-time registration: 

A bidder Bi registers to RM as follows: 

1. Bi chooses his private key Xi Gn Zg and computes his public key yi = g®* 
(Or a certified key with certificate can be used). 

2. Bi chooses a random string ti G {0,1}* and keeps it secretly. 

3. Bi sends {Bi,yi,ti) to RM secretly and proves his knowledge of the private 
key Xi in zero-knowledge. 

4. If RM accepts Bi’s registration, he publishes {Bi, yi) on his registration board 
and keeps {Bi,ti) secretly in his secure user info DB. 

Stage 2. RM’s round key setup (fc-th round auction): 

Now assume that RM, AM and all n bidders are involved in the /c-th round 
of auction. RM computes n round keys = y^ for all n bidders using yi 
and ti- Then he shuffles and publishes them on his round key board. Note that 
a bidder Bi can check easily whether his round key is listed on the round key 
board because he can also compute round key . But anybody except RM and 
Bi does not know the correspondence between yi and Y^ . If RM wants to re- 
voke a bidder, then he just removes the bidder from the registration board and 
removes the round key from the round key board. 
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Stage 3. AM’s auction ticket preparation (/c-th round auction): 

AM gets the list of all the round keys of n valid bidders from RM’s round 
key board. Then she executes the following steps. 

1. She chooses n random numbers {ri, ...,r„} G/j Zq. 

2. She computes the auction keys 

3. She computes the ticket identifiers Tj = h{{Yj^YY- 

4. She shuffles and publishes the auction tickets (T^, (17^)’’% g’’*) on the auction 
ticket board. 

5. She keeps (Tj,ri) secretly in her secure random number DB. 

Note that a bidder Bi can find the ticket identifier Ti easily as he can compute 
Ti = h{y\ = h{K^ in advance, while AM and RM cannot identify Bi 

from Ti. 



Stage 4. Bidding (/c-th round auction): 

A bidder Bi who wants to participate in the fc-th round of auction executes 
the following steps. 

1. He computes his round key as Y^ = yf and checks whether his round key 
is listed in RM’s round key board. If his round key is not listed, he complains 
to RM. 

2. He computes his ticket identifier as Ti = h{Y^ gg|.g auction 

ticket {Ti, {Yf^Y% g'^*) from the auction ticket board. If his auction ticket is 
not listed in the auction ticket board, he complains to AM. 

3. He checks the validity of his auction ticket by = {Y^^Y'- If it 

does not hold, he complains to AM. 

4. He prepares his bid information {Ti, nii, Vi) as follows and posts them on the 
bidding board. 

— mi=(auction ID || bid value), or any relevant information can be in- 
cluded. 

~ Vt = SK[ai : (M/)’'* = ( 5 f’'*)“*](mj) where = Y"{U)xi. 



The bid value should be higher than the previous highest one. Note that only 
the bidder Bi who knows ai = h^{ti)xi (knows both ti and Xi) can compute the 
signature of knowledge Vi. 



Stage 5. Winner announcement (fc-th round auction): 

Assume that a bid ruj of bidder Bj is the highest bid at the end of the bidding 
stage. AM and RM jointly publish the winner on the winner announcement board 
as follows. 

1. AM announces that {Tj,rrij,Vj) is a winning bid. 

2. AM posts {Tj,rj,Yj^) on the winner announcement board which reveals the 
correspondence between Yj^ and {Yj^)'^T 

3. RM posts {Yj^,h^{tj),yj) on the winner announcement board which reveals 

the correspondence between Y^^ = y^ and yj. It shows that Bj is the 
winner. 
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4. Anyone verifies that Bj is the winner using the published values Vj and 

Although is published, tj is not revealed because of the one-wayness of 

hash function. cannot be computed from h^{tj) for I < k without know- 

ing tj. 



The ticket identifier Ti can be recognized only by Bi who knows both ti and 
Xi- Bi recognizes the correspondence between yi and using ti and recognizes 
the correspondence between 17^ and Ti using Xi. Anybody else including RM 
and AM cannot identify the two correspondence together. Therefore anonymity 
of bidder is provided while giving an efficient ticket identifier. 

Public verifiability of winner is provided by publishing rj and h^{tj) together. 
Xj can be published safely after the bidding is finished because it is a random 
number chosen by AM in a round of auction. h^{tj) can also be published safely 
after the bidding is finished, because h^^'"{tj) is not exposed if tj is kept secretly. 

5 Features 

We discuss various features of the proposed public auction protocol according 
to the list of requirements. 

1. Anonymity: We assume that RM and AM do not collude to break the 
anonymity of bidders. If they collude, they can identify any bidder. They 
corporate only for winning bid in a public way. 

— Anonymity for RM: RM cannot identify Bi from the auction tickets 
{Ti, {Y^Y\g''^) published by AM on the auction ticket board or bidding 
information {Ti,mi,Vi) posted by Bi on bidding board. Identifying 
from {YI^Y‘^ is a discrete logarithm problem. Without knowing the secret 
shared key Ki between Bi and AM, RM cannot identify Bi from Ti. RM 
also cannot identify Bi from Vi because of the zero-knowledge property 
of SK. 

— Anonymity for AM: AM cannot identify Bi from the round key Y^^ pub- 
lished by RM without knowing ti. Identifying yi from Yl^ = y^ is 
a discrete logarithm problem. Although AM knows the previous values 
of YYi) for I < k, she cannot compute h^{ti) because of the collision- 
resistance of the cryptographic hash function h{). AM also cannot iden- 
tify Bi from Vi because of the zero-knowledge property of SK. 

2. Traceability: A winner’s identity Bj can be identified with the corporation 
of AM (publishing Xj) and RM (publishing h^{tj)) together as shown in the 
winner announcement stage. 

3. No framing: Nobody can impersonate a bidder Bi because the signature of 
knowledge Vi can be computed only with ai = h^{ti)xi and the bidder Bi 
is the only person who knows ai. Even though RM and AM collude, they 
cannot impersonate Bi. 
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4. Unforgeability: Anybody including RM and AM cannot forge a valid bid of 
a bidder Bi with a signature Vi. 

5. Non-repudiation: The winner Bj cannot repudiate his bidding because it 
contains his valid signature Vj. 

6. Fairness: Because all bids are anonymous and are posted on the bidding 
board by the bidder, all bids are dealt with in a fair way. 

7. Public verifiability: Because all the relevant information is published on bul- 
letin board, anybody can verify the validity of a bid (by signature of knowl- 
edge Vi), the validity of bidder (by round key and auction ticket), and the 
correctness of winner announcement (by rj and h^{tj)). 

8. Unlinkability (among different rounds of auction): Because the auction ticket 
is generated by two randomization operations by RM (round key generation) 
and AM (auction ticket generation), the auction ticket cannot be linked to 
a bidder. Therefore, nobody can link the same bidder’s bids among plural 
rounds of auction. 

9. Linkability (in a round of auction): Because the same auction ticket is used 
in a round of auction, anybody can link which bids are placed by the same 
bidder and knows how many times a bidder places a bid in a round of auction. 

10. Efficiency of bidding: In our protocol, most of communication is executed in 
very simple way, posting on public bulletin boards. Only one exception is 
that a bidder transmits {Bi,yi,ti) to RM through a secure channel in the 
one-time registration stage. Any complex protocol such as non-repudiation 
protocol as introduced in [OMOl] is not required because a bidder posts 
his bid on the bidding board. Any secure channel between RM and vendor 
is not required. The overall computation for one-time registration to RM 
(IGSK-I-IVSK), round key generation by RM (IE), auction ticket generation 
by AM (3E), computing bidding information by bidder (2E-I-1GSK), and 
verifying the winner announcement (2E-I-1VSK) are very efficient, where E, 
GSK, and VSK represent modular exponentiation, generation of signature 
of knowledge, and verification of signature of knowledge, respectively. 

11. One-time registration: Although the winner’s identity in a round of auction 
is published, the anonymity of auction ticket is maintained in next rounds 
of auction. Therefore, bidders can participate in plural rounds of auction 
anonymously with one-time registration. 

12. Easy revocation: When a bidder wants to withdraw from an auction or RM 
wants to revoke a bidder, RM can simply delete the bidder from his regis- 
tration board and the round key from the round key board. 

We compare the features of proposed protocol with [OMOl] in Table 1. In 
[OMOl] AM can distinguish winner’s public key although she does not know win- 
ner’s identity because the same public keys are used by AM repeatedly. There- 
fore, anonymity for AM, fairness, and unlinkability are not satisfied. As discussed 
in Section 2, public verifiability and one-time registration are not satisfied in 
[OMOl]. But the proposed scheme satisfies all these requirements. In terms of 
computational load, the proposed scheme requires a little more exponentiation 
than [OMOl], but both systems are very practical for real application. In com- 
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Table 1. Comparison of proposed public auction scheme with [OMOl] 



Features 


[OMOl] 


Proposed 


Anonymity for RM 


O 


0 


Anonymity for AM 


X 


O 


Traceability 


o 


o 


No framing 


o 


o 


Unforgeability 


o 


0 


Non-repudiation 


o 


0 


Fairness 


X 


o 


Public verifiability 


X 


0 


Unlinkability 


X 


0 


Linkability 


o 


0 


One-time registration 


X 


o 


Easy revocation 


o 


o 


Registration 


IGSK-tlVSK 


IGSK+IVSK 


Round setup by RM 


- 


IE 


Round setup by AM 


2E 


3E 


Bidding 


lE-blGSK 


2E-blGSK 


Winner announcement 


lE-blVSK 


2E-tlVSK 


Non-repudiation protocol 


required 


not required 



munication model, our scheme does not require any non-repudiation protocol 
because bidding information is posted on bidding board by the bidder. 

6 Conclusion 

We have pointed out the problem of [OMOl], lack of public verifiability in the 
winner announcement stage, and proposed a new public auction scheme which 
solves this problem. In our scheme both RM and AM execute randomization op- 
erations in each round setup process such that RM or AM alone cannot identify 
bidders, which makes the publication of winner’s identity be possible. An effi- 
cient ticket identifier is provided such that only a legitimate bidder can identify 
his auction ticket easily while any other party cannot identify it. 

Compared with [OMOl], our scheme has following advantages. 

1. All the stages of public auction including the winner announcement stage 
are publicly verifiable because all the relevant information is published on 
bulletin boards. 

2. The overall communication is more efficient. In our scheme winner’s identity 
is published on bulletin boards while it is secretly informed to vendor by RM 
in [OMOl]. Therefore, secure channel is not required in winner announcement 
stage and non-repudiation protocol for fairness is not required. 
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3. Plural rounds of auction with one-time registration is possible in a verifiable 
way. 

One drawback of our scheme compared with [OMOl] is that the round setup 
process is executed by two entities, RM and AM, but it is an essential cost to 
provide public verifiability together with anonymity in one-time registration. 
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Abstract. An analysis of integrity services in cryptologic protocols is 
presented. The informal syntax, to be presented, attempts to model the 
integrity service as a property that is transferred from a key to a message. 
The message can, in turn, be a key. The modeling presupposes confiden- 
tiality and integrity to be the atomic properties or services offered by 
cryptologic algorithms. More complex algorithms and protocols, such 
as those for digital signature, identification protocols and non-malleable 
encryption, are considered to be ensembles of these services. This paper 
concentrates only on the analysis of the integrity service in signature 
techniques based on the proof of knowledge of discrete logarithm. The 
paper will demonstrate the usefulness of this modeling by identifying 
flaws in the recent proposals for an efficient electronic cash system and 
a key-recovery system. 

Keywords : Confidentiality, integrity, representation of cryptologic goals. 



1 Introduction 

Confidentiality and integrity services are the atomic properties that are required 
for the construction of cryptologic protocols. The work on network security ar- 
chitectures by Rueppel [14] is an example for a research with a similar view. 
These properties can be viewed as follows: keys provide service (confidentiality 
or integrity) to messages. The importance of entities (like Alice or Bob) is de- 
liberately avoided in subsequent definitions and analyses in order to facilitate 
a key-centric view of cryptosystems^, which may be more appropriate for the 
representation, analysis and design of cryptosystems. Such an approach does 
not require any form of protocol idealisation [5], which may create more diffi- 
culties in the analysis of protocols. Moreover, since the idealisation functions do 
not have an inverse mapping (de-idealisation functions), the analysis techniques 
employing such functions may not be useful directly in the design of protocols. 

A cryptosystem can be viewed to be a composition of integrity and confi- 
dentiality services, which can be considered to be independent of each other. 
Although integrity and confidentiality services are not totally independent, the 

* Research Supported by the Australian Research Council grant A49804059 
^ This is as opposed to an entity- centric view, such as that of the BAN logic [5]. 
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results of this paper will be logically consistent. This is because if the relation- 
ship between the two services were to be represented syntactically, the syntax 
will only add more functionalities to the model and will not remove any. 

Due to this view, cryptosystems may be decomposed into an integrity com- 
ponent and a confidentiality component. This decomposition when represented 
in a suitable fashion will result in a simple characterisation of the goals of the 
cryptosystem - that is the integrity goal and the confidentiality goal. Many pro- 
posals in recent times, knowingly or unknowingly, have neglected the integrity 
goal of the cryptosystem. The negligence often results in deficient cryptosystems, 
which may be highly undesirable for many applications. 

The concern of this paper is an informal technique for the representation of 
the integrity goal. There exists many papers that have attempted to represent the 
confidentiality goal, such as the paper by Abadi and Rogaway [1]. So, this paper 
will not deal with the representation of the confidentiality service. Section 2 
presents an analysis of the integrity goal. The subsequent sections will employ the 
proposed technique to analyse the the electronic cash system proposed by Radu, 
Govaerts and Vandewalle [12], and the fraud detectable key recovery scheme by 
Verheul and van Tilborg [17]. 

2 An Integrity Verification Technique 

The informal working definitions for the integrity and confidentiality services are 
as follows: 

Definition 1 Confidentiality is the service that grants access to the message 
corresponding to the cipher-text when the access to the key is available. 

Definition 2 Integrity is the service that determines the immutability of a mes- 
sage corresponding to a cipher-text when the immutability of the key has been 
determined. 

These definitions express succinctly the importance of the confidentiality and 
integrity properties of the keys in cryptosystems. The aim of any cryptosystem 
is to maintain the confidentiality and integrity properties of the messages with 
respect to the corresponding properties of the keys. 

The transfer of a cryptologic property from a key to a message will be rep- 
resented as follows: 

SERVICE^ 

K > M 

where, SERVICE G {C,X} is the type of service, C is the keyword for the confi- 
dentiality service and I is the keyword for the integrity service. Confidentiality 
is the private view of the participants and integrity is the public view. The 
terms private and public are relative depending upon the assumptions about the 
ownership of various keys. Since, this paper is interested only in the character- 
isation of the integrity service, the subsequent representations will present only 
the graphs for the transfer of the integrity service. 
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While characterising the integrity goal of any system (such as the Schnorr 
signature scheme, Brands’ e-cash scheme), the model will account only for the 
verification equations. This abstraction is essential to model the unpredictable 
behaviour of the signer. The signer’s behaviour is unpredictable because the 
verifier does not necessarily trust the signer. The behaviour of the verifier is 
not modeled because it is assumed that the verifiers perform the verifications to 
safe-guard their interests. Moreover, it is not the concern of cryptology to force 
the verifier to act properly during and after the verification process. 

This section presents a protocol developer’s view, as opposed to a crypto- 
logic algorithm developer’s view, of the general purpose signature schemes and 
an informal syntax for the representation of the transfer of service from keys 
to messages. The results are then extended to represent the Schnorr signature 
scheme [15] in Section 2.1. Section 2.2 contains a discussion on Schnorr-type 
blind signature schemes [7,4] and outlines the subtleties that protocol designers 
must be aware of. 



2.1 Characterising Signature Schemes 

The following representation for the signature schemes will be employed in this 
paper: 



( Ciphertexts) 

{PublicKey) > {Message) 

The term {Ciphertexts) includes the result of any cryptographic operation, such 
as encryption and signature operations. For example, if y = mod p for a 
suitable value of p and g, then y is a cipher-text. There may be one or more 
individual cipher-texts in the system. Usually, the signature process is computa- 
tionally expensive and the messages are arbitrarily long. Additionally, the use of 
secure hash functions improve the security of the verification equations. There- 
fore, suitable message digest (symmetric key) techniques are employed. This 
gives raise to two techniques. 

The first technique is to sign the message digest. Suppose that an RSA public- 
key pair [13], [e,n], is employed to sign a message, m, employing a secure hash 
function, 7i, to generate the following verification equations: 

c = 7f(m, A) 
r = C mod n 



then [c, r] are the signature tuples. This technique is represented as follows: 

^(A to) A ([e,n] ^ c)^ 



where: 

1. c is the message digest; 
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2. A is the symmetric key. When an unkeyed hash function is employed, A = 0, 
which is the null key. 

3. m is the message to be signed. 

4. [e, n] is the public key of the signer. 

5. r is the signature cipher-text. 

Henceforth, the logical “and” operation will be represented by the symbol A. 
This operator suggests that individual verification equations must output true 
for the verification system to output true. Note that the 0 key represents the 
no key scenario and is known globally to all participants. Also note the myriad 
of protocol design possibilities when SymmetricKey is not equal to the 0 key. 

The second technique is to sign a symmetric key that would provide in- 
tegrity service to the message. The technique proposed by Fiat and Shamir [9], 
and adopted by Schnorr [15] is a good example. Such a signature technique is 
represented as follows: 

{SignatureCiphertext) {MessageDigest) 

{{PublicKey) > {SymmetricKey) > {Message)) 

The symmetric key, in this case, cannot be 0 (null key). Note that the rep- 
resentation, by itself, does not suggest that the signature cipher-text provides 
non-repudiation service to the message, rather it suggests the integrity service 
for the symmetric key, which in turn provides integrity service to the message. 
This is because the representation deals with a lower level view to trace the 
flow of integrity service, which is more basic than the non-repudiation service. 
In order to achieve the non-repudiation service for the message, a one-to-one 
relationship between the symmetric key and the message, which in the Schnorr 
signature scheme is achieved by a one-to-one relationship between the signa- 
ture cipher-text and the message digest, is essential. The rest of this section will 
explain this form of representation in detail. 

A tuple [r, c] is a valid Schnorr signature on a set of messages m by the 
public key [g, y,p] (henceforth the symbol p, representing the prime number, will 
be omitted whenever it can be implicitly understood), if the following equation 
holds: 



c = Ti,{m, A) 

where, is a secure hash function, c is the message digest and A = y^g^ is 
the symmetric key. The integrity goal of the Schnorr signature scheme can be 
expressed as follows: 



([5,p] A (1) 

That is a trusted public key, [g, y], provides integrity service to a symmetric key, 
A, by employing the cipher-texts, [c, r] . The symmetric key. A, in turn provides 
integrity service to the message, m, by employing the cipher-text c. The same 
value of the cipher-text, c is employed by the public key and the symmetric key. 
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It is important to note that in Schnorr-type signature schemes, the structure of 
A with respect to g, is similar to the structure of y with respect to g. That is 
by knowing the discrete logarithm, log^ y and the signature tuple, it is possible 
to know the value of logg A, and vice versa. This is an important requirement 
to prevent the generation of multiple signature transcripts from a single Schnorr 
signature. Henceforth, the Q delimiter will separate verification equations from 
each other. 

The proof of equality of discrete logarithms employed by Chaum and van 
Antwerpen [6] resembles the Schnorr signature. It proves that logg y = log„ u 
for some u and v. Note that [g,y] or [m,u] must be trusted or certified. The 
verification equation for such a scheme is as follows: 

c = 7i{m, A, B) 



where, 

1. c is the message digest; 

2. Ti. is a, secure hash; 

3. m is the set of messages; 

4. [c, r] is the signature cipher-text; and 

5. A = y‘^g'~ and B = u‘^v‘^ are the symmetric keys. 

The integrity goal of this scheme can be expressed as follows: 

((([g,y]'%"'A)A([u,w]‘%"’i?))^m) (2) 

The symmetric keys A and B provide integrity service to m. It is crucially 
important to note that [(/, y] or [u, u] must be certified (using some private or 
public certification scheme) before any integrity deductions can be made. The 
protocol associates the integrity of [(/, y] (or [u, u]) with the integrity of [u, u] (or 
[g,y]). Once this association is made and the absolute integrity of at least one 
of the key tuples is deduced, then the integrity of the symmetric keys [A,B], 
and thereby the message m, can be deduced. Without certification of any of the 
keys, no meaningful deductions on the integrity service can be made. Note that 
this requirement is inherited from the Schnorr signature scheme represented in 
Equation 1. 

2.2 Characterising Schnorr- Type Blind Signature Schemes 

The blind signature technique [8] allows an entity to obtain a signature tuple 
on a message from a signer without revealing either the signature tuple or the 
message. This allows the entity to prove to any other entity that it was authorised 
by the signer without revealing its identity - the entity is anonymous. 

A well known method to obtain blind signature requires the signer to engage 
in a honest-verifier zero-knowledge identification protocol with the receiver (of 
the signature), who would play the role of a skewed honest-verifier to obtain 
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the blind signature. Chaum and Pedersen [7] demonstrated the technique to 
obtain a blind Schnorr signature, which was later modified by Brands [4] to 
obtain a specialised version called restrictive blind signature. The purpose of 
this section is to characterise both these schemes in order to highlight their 
subtle and important properties, which are usually ignored by some protocol 
designers. This oversight introduces many deficiencies in the integrity goal of 
the resulting cryptosystem. 

A Schnorr-type blind signature was first proposed by Chaum and Peder- 
sen [7]. The signature tuple is the same as that of Schnorr signature scheme (see 
Section 2.1) and has the same signature verification equation. The only differ- 
ence is that the signer cannot know the message that is being signed, which in 
the case of Schnorr signature is the symmetric key and not the message itself. 
This is a subtle point that should actually mean that the signer is authorising 
the symmetric key only and does not necessarily authorise the message that the 
symmetric key may provide integrity to - as was the case in the original Schnorr 
signature scheme. Interestingly, this problem has a counterpart in the key recov- 
ery research (and cryptologic research as a whole), where it is a difficult problem 
to restrict the use of certified keys [10]. 

Since the verification equation for a blind Schnorr signature is the same as 
the Schnorr signature scheme, this subtlety is introduced in the representation of 
the integrity goal by employing a modifier. This is because the blinding process 
provides confidentiality service and the syntax presented in this paper deals only 
with the integrity service. Since the blinding process does not alter the integrity 
goal of the protocol, any alteration of the representation of the integrity goal for 
the Schnorr signature, to introduce the subtlety, must be purely a convention. 
The best way to accomplish this requirement would be to introduce a modifier. In 
Equation 1, the message that is signed, m, is represented employing a modifier 
as m. Syntactically, Equation 1 is otherwise unchanged. The integrity goal is 
represented as follows: 



{[g, y] — ^ A-^m^ (3) 

Note that the signature generation procedure may or may not be blinded^, so 
the modifier is intended only for the interpretation of a potential weakness in 
argument. In other words, the modifier is a statement of intent and not of a 
fact. In the previous equation, the modifier suggests that the signer may have 
no control over the message, m. 

The restrictive blind signature by Brands [4] is similar to the blind Schnorr 
signature scheme [7], with an additional property that the signer guarantees 
the structure of the symmetric key, A. In the original proposal [4], the signer 
employs the Schnorr variant (by Chaum and van Antwerpen, see Section 2.1) 
represented by Equation 2 and guaranteed the representation (structure) of one 
of the symmetric keys with respect to the bases [gi , 32 ] • The verification equations 

^ In the case of an e-cash system the customer could engage in a normal Schnorr 
signature protocol with the bank, and the merchant cannot discern this fact. 
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employed by the merchant (during the spending phase) and the bank (during 
the deposit phase) in Brands’ scheme are as follows: 

c = 'H{A, B, z, a, b) 

a = g^y-^ 

b = 

d = no{A,B,---) 

Blgl-gl^A-'^ 

where: 

1 . c and d are message digests; 

2 . H and Hq are secure hash functions; 

3 . [A,z] is a temporary key pair; 

4 . i? is a message; 

5 . [a, b] is the symmetric key tuple blindly authorised by the bank; and, 

6- [5, 5i) 52, J/, yij 2/2] is the public key of the bank such that y = g^’^ , y\ = g^’^ 
and y2 = g^^ , where is the banks private key; 

7 . [r, c] is the signature tuple by the bank; and, 

8- [ri,r2] is the signature tuple on B employing the key [gi, (72, A]. 

The integrity goal of this scheme is represented as follows: 

((([ 5 , 5 ] ^ a) A ([A,z] . b)) ^b) A 

([gi,ff2,A] > i? 4 [A,---]) ( 4 ) 

It can be read as: the bank authorises the symmetric keys [a, b] using its public 
key [g,y] and, [A,z] by its association with [5,5]. The symmetric keys provide 
integrity service to B (note the use of the modifier as B to represent the blind 
operation). This is the joint statement of the first verification equation. The sec- 
ond verification equation provides integrity service to B by employing the public 
key [51,52, A] and the cipher-texts [ri,r2,d]. B, in turn, provides integrity ser- 
vice to a predetermined set of messages and A. This is not a blinded operation. 
The implicit assumption for the goal of this proposal is the association of the 
bases [51,52] with the key A, which was a part of the key [A, z] which was as- 
sociated with [g, y] by the blind signature process. Thereby, whoever possessed 
the signature (the first verification equation) must also possess the knowledge 
of the representation of A with respect to the base [gi,g2] (just as the Schnorr 
signature scheme required the signer to possess the representation of the public 
key y with respect to the base g), and therefore the representation of B. This 
additional check allowed the bank (which took part in the signature generation 
process) to gain another implicit confidence: the blind signature transcript con- 
tains a valid, hidden identity that is a representation of the bases [gi,g2j- In 
the case of electronic cash systems employing blind signature, the merchant, 
without trusting the bank, cannot gain this knowledge as it can make no logical 
deductions about the withdrawal protocol (signature generation process). 
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3 Analysis of an Efficient E-Cash Proposal 

Electronic cash systems, like physical cash systems and unlike electronic pay- 
ments systems like credit cards, allow the users to anonymously spend legiti- 
mate amounts of currency. The anonymity property is mutually exclusive of the 
properties for tracing transactions. 

This section will analyse the e-cash proposal of Radu, Govaerts and Van- 
dewalle [12]. The proposal is a three-phased withdrawal mechanism presented 
briefly as follows: 

1. get-pseudonym protocol between the user and the bank to obtain a restric- 
tive blind signature on a pseudonym, tt, by employing the Brands with- 
drawal protocol (see Equation 4). This allows the bank to guarantee that 
the pseudonym tt is derived from a registered identity ttq. 

2. withdraw -big -Coin protocol between the user and the bank allows the user 
to obtain a blind Schnorr signature (see Equation 3) on a big coin that 
associates a pseudonym, /3 with a valid long-term pseudonym tt; and, 

3. exchange -big -Coin protocol between the user and the bank that allows the 
user to anonymously withdraw many small coins after providing the bank 
with a valid big coin and the corresponding long term pseudonym tt. 

The user can spend the small coins with any merchant. Radu et al. proposed 
the use of a smart-card during the spending protocol that will act as an observer 
to prevent double spending of small coins (refer to the paper by Chaum and 
Pedersen [7] for a detailed discussion on this topic). The certifled public keys of 
the bank is represented by the tuple, [g, P, Pi] such that the bank possesses the 
representation of P and Pi to the base g. 

As stated previously in Section 2.2, a blind signature must be considered 
as an authorisation for a symmetric key and not for the message that could 
be serviced by the symmetric key. Radu et al. did not observe this caution in 
their proposal for an efficient e-cash. As will be shown, this oversight results in 
a weakness in their proposal that allows unaccounted transfer of funds between 
accounts, that is the property of non-transferability is not achieved. 

The verification equations that the bank employs to verify the long-term 
pseudonym during the exchange -big -coin phase are as follows: 

c = H(7 t, z, a, B) 

A = /P= 

d = (/ 3 , a) 

a = 9? 9? 

These are the verification equations of Brands’ restrictive blind signature scheme 
discussed in Section 2.2. The representation for the verification of long-term 
pseudonym component of the big-coin is as follows: 
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[c,r] 

>A)A{[n,z] 



[ri,r2,d] 




[c,r] 



4 B)) ^ [n,z]^ A 



( 5 ) 



In the Brands’ scheme, the symmetric key a {B in Equation 4) was serviced by 
c, which restricted the use of a to only one servicing - otherwise the private key 
of the user would be revealed (a deficiency of Schnorr-type signature schemes). 
Whereas, in the scheme proposed by Radu et al., the symmetric key a was not 
serviced by c. Thereby the value for a can be changed (mutable) to allow for 
multiple servicing of multiple values of f3 by tt. 

The verification equation that the bank employs to verify the big coin during 
the exchangc-big-coin phase are as follows: 



e = H{P, TT, D) 
D = g^^P^ 



This is a blind Schnorr signature explained in Section 2.2 by Equation 3. The 
representation for the verification of the short-term pseudonym (/3) component 
of the big-coin is as follows: 

{[g, Pi] > D [/ 3 , tt ]) ( 6 ) 

Note that the claimed association between a long term pseudonym, tt, and the 
short term pseudonym, /?, happens during this protocol. Also, note the modified 
term, [/3, tt], which suggests that the signer (the bank) with the public key [g, P\] 
can have no control over the values [/?, tt] . 

Radu, Govaerts and Vandewalle analysed [e, ra] as a signature on [/3, tt] by 
the key pair [g^Pi], the certified public key of the bank. Therefore, they ar- 
gued that association was authorised by the bank. The flaw in this argument 
is: [e,r 3 ] is a blind signature on [/3, tt]. Referring to equation 6, clearly the in- 
tegrity check relies on the use of the key, D, which was authorised by the bank, 
to associate the tuple [P, tt] and this problem is similar to the generic situation 
explained in Section 2.2. That is, the bank is trusting the user to correctly as- 
sociate one of his/her long-term pseudonyms, tt, with a short-term pseudonym, 
p. This allows the user to associate the tt value of another user with the P value 
that resulted from his/her withdrawal. In effect, this would allow unaccounted 
money transfer between users, which may result in perfect black-mailing and/or 
money-laundering [18]. Although Radu et al. did not comment about the prop- 
erty of non-transferability^ in their paper, many practical monetary systems 
require this property for their proper functioning. Therefore, their scheme lacks 
the non-transferability property, primarily due to the lack of consistent integrity 
checks. 

In order to visualise this problem let the long-term pseudonym of a black- 
mailer be TT, which was derived from his/her long term identity ttq using the 



3 



The property which is essential to prevent unaccounted transfer of funds. 
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get-pseudonym protocol. The black-mailer can perform the following actions to 
achieve a perfect-blackmail; 

1. allow the victim user to participate in the mutual-authentication protocol 
that takes place before the withdraw -big -coin transaction; 

2. logically or physically hijack the withdrawal terminal from the victim user 
to prevent him/her from registering the value of tt; and, 

3. perform the withdraw -big -coin transaction with the bank as prescribed by 
the protocol, employing tt as the pseudonym. 

4 Analysis of the Binding ElGamal Proposal 

Key recovery infrastructures aim to provide restricted confidentiality channel for 
users communications. The confidentiality property of the channel is restricted 
because, unlike the traditional key establishment systems, the messages com- 
municated by the users can be accessed or wire-tapped by authorised entities 
called escrow agents. Such systems were primarily motivated by the needs of law 
enforcement agencies. 

Verheul and van Tilborg [17] proposed a fraud detectable key recovery scheme. 
The proposal was aimed to allow any third party to verify if a sender has en- 
crypted the session key value to the receiver and the escrow agents. The veri- 
fication equations, which were proposed to detect activities that could by-pass 
the key-recovery infrastructure, were: 

c = H{E, C, Ra, Rb,Rm,D, F,I,- ■ •) 

D = g^^C^ 

F = {vA/yMriRA/RMY 

I = {vB/yMYiRA/RMY (7) 

where: is a secure hash function, [c, r] is a Schnorr signature tuple. This check 

was aimed to show that the message encrypted in Ra = Sy\ and Rm = Sy^ 
{C = gY is the same, without revealing the message. 

Using the notation presented in Equation 2, Section 2.1, the following rep- 
resentation for the verification equations of the key recovery scheme can be 
determined: 

((([5,C]‘%"’ D)^ 

{[va/vmtRa/Rm] F) A 

{[vb/vm, Rb/Rm] I)) G Ra, Rb,Rm, • • •]) (8) 

Note that none of the key pairs {[g,C], [yA/VM, Ra, Rm] [vb/vm , Rb / Rm]) 
providing integrity service are certified. It is evident that this representation is 
similar to the representation provided in Equations 1 and 2. By comparing the 
above representation with Equations 1 and 2, the following observations can be 
made: 
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1. none of the key pairs {[g, C], [yA/ljM, Ra/Rm] and [ys/yM, Rb/Rm]) can be 
trusted because they are uniformly chosen by the sender (who is not trusted 
for certification procedures); 

2. ratios of keys provide the integrity service to the symmetric keys F and I, 
which is not a standard assumption of Schnorr-type signatures. 

These observations suggest a deficiency in the system that allows the sender to 
manipulate the keys, which were meant to be the starting point of the integrity 
service - that is if the starting point is corrupted then the integrity service 
that it transfers is also corrupted. This weakness in the integrity service could 
potentially result in attacks on the protocol, like the attack to be presented in 
this section. 

Prior to discussing an attack on the key recovery system, the meaning of a 
non-trivial attack must be understood. A key recovery protocol is deficient if suc- 
cessful adversaries abide with the message formats suggested by the protocol and 
procure legitimate services from the key recovery infrastructure to ensure secure 
communication. For example, if a public-key based key recovery system provides 
robust certification mechanism, such as robust public key infrastructures, and 
requires key recovery enablement before the certification can be employed, then 
an adversary is successful when certified public keys are employed and key recov- 
ery is avoided. The attack on the proposal, by Verheul and van Tilborg [17], by 
Pfitzmann and Waidner [11] need not necessarily be an attack on the protocol 
proposed by Verheul and van Tilborg, rather it is an attack on all session-key re- 
covery systems without any form of private-key recovery. It outlines the generic 
concealed-encryption attack^ on key recovery protocols and fails to explain the 
manner in which the concealed key may be established. Although the attack pro- 
posed in this section exploits the property of concealed-encryption attack, it is 
not a generic attack on all session- key recovery protocols, rather it is a specialised 
attack on the proposal [17], which resulted from an oversight in the protocol de- 
sign. Moreover, this section will detail the manner in which an illegal session 
key can be established using the key recovery infrastructure. This distinction is 
important for protocol designers, who may employ the proposed fraud detection 
mechanism [17] for a different application that may not have properties similar 
to that of key-recovery applications. For example, refer to the paper by Abe [2], 
which successfully employed a similar integrity verification mechanism for a mix 
network proposal. 

Suppose that the sender and a hidden receiver (M) would like to communi- 
cate using the actual receiver (M) as the decoy. The sender can accomplish this 
by employing the following steps: 

1. Choose a random session k^, S. 

2. Encrypt the message with S to obtain the cipher-text, E. 

3. Obtain the public keys of the hidden receiver, yn, the decoy, yM and the 
authorities (yA,yB)- 

^ There is no technique available to check if a claimed key was used during the en- 
cryption process — verifiable encryption for symmetric key systems is not currently 
available 
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4. Choose a random value for k. 

5. Compute a decoy session key, S = 

6. Encrypt the decoy session key for the decoy and the authorities, Rm = 
Sy%[ = 'Sy’k, Ra = Sy\, Rb = Sy>h and C = gK 

7. Form the verification equation as suggested by the representation in Equa- 
tion 8. 

8. Send the cipher-texts and verification parameters to decoy. 

The hidden receiver performs the following steps: 

1. Wiretap the communication to decoy to obtain E, Rm and C. 

2. Obtain session key, S = Rm/C^^ , where xh is the private key of the hidden 
receiver. 

3. Decrypt E using S to obtain the message. 

The monitor will verify the equations properly, the decoy receiver and the au- 
thorities will retrieve the decoy session key, S, from the respective cipher-texts 
employing the respective private keys and, the decoy session key, S, will not 
decrypt E correctly. Also note that it will be difficult to find the hidden re- 
ceiver, yn , or the actual session key, S (finding the hidden receiver would imply 
breaking of the multi-ElGamal cryptosystem proposed in the paper [17]). 

5 Conclusion 

The paper presented a novel technique to represent the integrity goal of a system 
by accounting for all the verification equations and ignoring the unnecessary 
protocol complexities that produced the equations. An abstraction to encompass 
the unpredictability of the protocol participants was also proposed. The use of the 
technique was demonstrated by the identification of similar protocol deficiencies 
in seemingly different scenarios. 

Many proposals for compliant systems tend to ignore the importance of the 
integrity service, while in pursuit of the confidentiality service. Blaze [3] formu- 
lated an attack on the integrity service in the Clipper proposal [16], which was 
predominantly focused on the confidentiality service. Unfortunately, many pro- 
tocols in various fields of cryptologic application still succumb to attacks similar 
to those detailed in Sections 3 and 4, namely attacks exploiting weaknesses in 
integrity services. In order to design robust and secure protocols the integrity 
and the confidentiality services must be carefully designed and integrated. 

Prospective formal syntax that can represent precisely both the confiden- 
tiality and the integrity goals will greatly improve protocol logic development. 
Research for such a syntax will be very useful, both theoretically and practically. 

References 

1. Martin Abadi and Phillip Rogaway. Reconciling two views of cryptography (the 
computational soundness of formal encryption). In IFIP International Confer- 
ence on Theoretical Computer Science (IFIP TCS2000), Sendai, Japan, 2000. To 
appear. 




An Analysis of Integrity Services in Protocols 187 



2. Masayuki Abe. Mix-networks on permutations networks. In K. Lam, E. Okamoto, 
and C. Xing, editors. Advances in Cryptology - ASIACRYPT’99, volume 1716 of 
LNCS, pages 258-273. Springer- Verlag, 1999. 

3. Matt Blaze. Protocol failure in the escrowed encryption standard. In The 2nd 
ACM Conference on Computer and Communications Security, November 1994. 

4. Stefan Brands. Untraceable Off-line Cash in Wallet with Observers. In Tor Helle- 
seth, editor. Advances in Cryptology - CRYPTO’93, volume 773 of LNCS, pages 
344-359. Springer- Verlag, 1993. 

5. M. Burrows, M. Abadi, and R. M. Needham. A logic of authentication. In Pro- 
ceedings of the Royal Society of London, volume 426, pages 233-271, 1989. 

6. D. Chaum and H. van Antwerpen. Undeniable signatures. In G. Brassard, edi- 
tor, Advances in Cryptology - CRYPTO’89, volume 435 of LNCS, pages 212-216. 
Springer- Verlag, 1989. 

7. David Chaum and T. Pedersen. Wallet Databases with Observers. In Ernest F. 
Brickell, editor. Advances in Cryptology - CRYPTO’92, volume 740 of LNCS, pages 
89-105. Springer- Verlag, 1992. 

8. David Chaum. Blind Signatures for Untraceable Payments. In Sherman A.T. 
Chaum D., Rivest R.L., editor. Advances in Cryptology - CRYPTO’82, pages 199- 
203. Plenum Press, 1983. 

9. A. Fiat and A. Shamir. How to prove yourself: practical solutions to identifica- 
tion and signature problems. In A. M. Odlyzko, editor. Advances in Cryptology - 
CRYPTO’86, volume 263 of LNCS, pages 186-194. Springer- Verlag, 1986. 

10. Lars R. Knudsen and Torben P. Pedersen. On the difficulty of software key escrow. 
In U. M. Maurer, editor. Advances in Cryptology - EUROCRYPT’96, volume 1070 
of LNCS, pages 237-244. Springer- Verlag, 1996. 

11. Birgit Pfitzmann and Michael Waidner. How to break fraud-detectable key recov- 
ery. Operating Systems Review, ACM press, 32(l):23-28, January 1998. 

12. Cristian Radu, Rene Govaerts, and Joos Vandewalle. Efficient electronic cash with 
restricted privacy. In Rafael Hirschfeld, editor. Financial Cryptography, FC’97, 
volume 1318 of LNCS, pages 24-28. Springer- Verlag, 1997. 

13. Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining 
digital signatures and public-key cryptosystems. Communications of the ACM, 
21(2):120-126, 1978. 

14. Rainer A. Rueppel. A formal approach to security architectures. In Donald W. 
Davies, editor. Advances in Cryptology - FUROCRYPT’91, volume 547 of LNCS, 
pages 387-398. Springer- Verlag, 1991. 

15. C.P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 
4:161-174, 1991. 

16. U.S. DEPARTMENT OF COMMERCE / National Institute of Standards and 
Technology. Federal Information Processing Standard 185 — Fserowed Encryption 
Standard, February 1994. 

17. Eric R. Verheul and Henk C.A. van Tilborg. Binding ElGamal: A fraud-detectable 
alternative to key-escrow proposals. In Walter Fumy, editor. Advances in Cryptol- 
ogy - EUROCRYPT’97, volume 1233 of LNCS, pages 119-133. Springer- Verlag, 
1997. 

18. B. von Solms and D. Naccache. On Blind Signatures and perfect crimes. Computers 
and Security, pages 581-583, October 1992. 




C ry pt analy s is 

of the Nonlinear FeedForward Generator 



S.S. Bedi and N. Rajesh Pillai 
Scientific Analysis Group, DRDO, Delhi 110054 



Abstract. The nonlinear feedforward generator is one of the commonly 
used building blocks of stream ciphers. This paper describes a novel 
known-plaintext attack for cryptanalyzing nonlinear feedforward gener- 
ator. The plaintext requirement of the attack is only twice the length 
of the shift register. The implementation of this attack could identify 
the initial settings of the system for a 128 stage register and randomly 
chosen nonlinear feedforward fnnction of 10 variables in few minutes on 
a P-II 300 MHz machine. 



1 Introduction 

The nonlinear feedforward generator is one of the commonly used building blocks 
of stream ciphers. This paper describes a new technique for cryptanalyzing feed- 
forward generator. Given just 2n bits of the plain-text, where n is the length 
of shift register, the attack determines the initial setting of the shift register. 
The basic idea is to form a system of Boolean equations describing relationship 
between the keysequence (obtained by xoring crypt and the known plain text), 
and the initial settings. We then use the techniques developed by Zakrevskij & 
Vasilkova [8] for solving a system of nonlinear equations. 

The proposed attack is very efficient and in most of the cases we got results 
within few minutes. We believe that this attack can be extended to attack other 
building blocks of stream ciphers also. 

The Nonlinear feedforward generator is made up of a linear feedback shift 
register (LFSR) and a nonlinear Boolean function. The shift register is allowed 
to run (with its feedback polynomial deciding the bit to be shifted in). The 
nonlinear feedforward function (NLFF) takes some of the bits of the LFSR as 
input and calculates the output bit. The location in LFSR from where the input 
bit for NLFF is picked is called a tappoint or tap for short. Figure. 1 shows a 
block diagram of a Nonlinear feedforward generator. 

It is known (corollary 5.6 of [4] ) that the lower bound for Linear complexity 
(LC) of NLFF Generator can be expressed in terms of L, the length of shift 
register, k, the number of taps, under suitable conditions as LC > "G^. 

For L = 50, k = 8, we have LC > = 536878650 « 5.4 * 10® 

In this paper we will be dealing with feedforward functions with equidistant 
taps. 
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Keysequence 

Fig. 1. Nonlinear Feedforward Generator 



2 Attacks on Nonlinear FeedForward Generator 

We summarize the few existing known results in this area. Correlation attacks 
are the most common class of attacks applied on stream ciphers. See [5] for 
overview of these type of attacks. Correlation attacks work when there is cor- 
relation between output sequence and input sequence to the nonlinear function. 
Anderson [1] describes how to pick up subsequences with optimum correlation 
properties for mounting the correlation attack on feedforward generators for 
known plaintexts. Correlation attacks work for ciphertext-only attack also. They 
need ciphertext length dependent on the value of correlation. Typical ciphertext 
length required would vary from 4000 bits (very optimistic case) to order of 10®. 

Among the known-plaintext attacks, the generalized inversion attack [2], [3] 
is very effective in cryptanalyzing nonlinear filter generators. It has a complexity 
which is exponential in the distance (d) between first and last tap points of the 
feedforward function. The generalized inversion attack will be practical if the 
feedforward function has its tap points bunched together or if it can be converted 
to this form (say by uniform decimation) This attack is based on theory of 
branching processes. 

Our attack uses a totally different approach to this problem. We use the de- 
scription of the system to setup nonlinear equations capturing relations between 
initial settings (unknown) and the bits of the output sequence (known part). 
Then we solve the system for the unknown initial variables. 

3 Solving Nonlinear Boolean Equations 

Solving an arbitrary set of Boolean equations (also known as the satisfiability 
problem) is an NP-Complete problem. Currently only exponential time algo- 
rithms are available for the general case. But if the system of equations is of a 
special kind, solutions can be obtained efficiently. We have used the technique 
of local reduction developed by Zakrevskij and Vasilkova [8] in our work. Local 
Reduction technique can solve large systems of nonlinear boolean equations ef- 
ficiently when number of variables in each equation is small, (typically less than 
10) and there are equations having large overlaps in their sets of variables. 
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3.1 Local Reduction Technique 

of Solving System of Nonlinear Equations 

Given a system of nonlinear Boolean equations of the form Fi = 1, the local 
reduction technique takes two equations at a time and reduces the number of 
points in the solution space to be tried out. 

Representation of the equations: For each equation, system will store the vari- 
ables in the equation and the onset. (Onset of an equation is the set of points at 
which the equation is satisfied.) For e.g. xy (Byz = 1 will be represented as the 
set of (binary) numbers {110,011} over the variables {x,y,z). This means that 
the equation is satisfied when x = l,y = 1, z = 0 and when x = 0,y = 1, z = 1 
and at no other points. 

Given two equations, whose variable sets have a nonempty intersection, say 

Eql : varlisti = {a, b, c, d, e), onseti = {01101, 11010, 10011} 

Eq2 : varlist 2 = {c,d,e,f,g,h),onset 2 = {101110,001101,010010} 

List of elements common to varlisti and varlist 2 = (c, d, e) yf (p 

From Eql we can infer that the 3-tuple (c,d,e) is 101 or 010 or Oil whenever 
Eql is true. The set S'! = {101,010,011} is called the projection of the onset of 
Eql on (c, d, e). From Eq2 we can infer that the 3-tuple (c, d, e) is 101 or 001 
or 010 whenever Eq2 is true. We shall call S 2 = {101,001,010} as projection 
of onset of Eq2 on (c, d, e) . A correct solution to the system satisfies both the 
equations simultaneously. So all correct solutions to the system should have the 
3-tupe (c,d,e) = 101 or 010 (a value from intersection of Si and 52 ). Using this 
information we can delete all those elements from the onseti and onset 2 whose 
projection on (c, d, e) is not in the set Si n S 2 Using this reduction we can get an 
equivalent system of equations (i.e. solution set of the new system of equations 
is the same as the solution set for the old system). Applying this reduction on 
our system we get 

NewEql : varlisti = {a, b,c,d,e), onseti = {01101,11010} 

NewEq2 : varlist 2 = (c, d, e, /, g, h), onset 2 = {101110, 010010} 

We execute this operation sequentially on pairs where it can be applied. The 
procedure terminates when either some onset becomes empty (case when set of 
equations is inconsistent) or some reduced set of functions is obtained where the 
given operation cannot be applied on any pair. This process of reducing the size 
of onsets by considering a pair of equations at a time is called local reduction. 
Once a reduced set of functions is obtained, we can combine the onsets of each 
equation to get onset for the whole system. (Gombining is done by doing a ’join’ 
operation over the onsets.) For example, in the above case the solution set for 
the system of equations will be 



{a,b,c,d,e,f,g,h) = {01101110,11010010} 
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This complexity of local reduction is proportional to number of points in the 
onset or roughly exponential in number of variables per equation, which is why 
number of variables in each equation is to be kept small. 

3.2 Removal of Common Factors 

We also used the technique of removal of common factors. The basic idea behind 
this is very simple. Since the nonlinear equations are of the type Fi = 1, if some 
sub-term occurs as a common factor in all the terms of Fi, it can be factored 
out. In our case suppose we have 

Eqi : varlisti = (a, b, c, d, e), onseti = {10100, 10101, 10110} 

We see that the triple (a,b,c) = (101) in all the points of the onset, so we can infer 
that a=l, b=0 and c=l in the solution for the whole system of equations. We 
can substitute the values inferred to get reduced system of equations. In other 
words we are factoring out ab'c and substituting the value in other equations. 
This operation of factoring out is linear in size of onset or roughly exponential 
in number of variables in the equation. 



4 Description of the Algorithm 

4.1 Making Equations 

We try to make equations expressing relation between initial contents of the shift 
register and the bits of key sequence. Using system description such equations can 
be easily made. The initial contents will be the variables and the key sequence 
bits will be the constants. To ensure that the system of equations satisfy the 
criteria for Local reduction to be applicable, we had to make number of variables 
per equation less than 10. 

This was achieved by introducing new variables for the bits generated by the 
LFSR. A set of linear equations based on the feedback polynomial giving relation 
between these new variables and the initial variables is added to the system of 
equations. 

Given 

1. Feedback polynomial of degree n, 

2. Feedforward function of m variables and its tap points. Without loss of 
generality we assume that the tap points of the nonlinear function are in the 
last m consecutive stages of the shift register, (as taps are equidistant) 

3. 2n consecutive bits of output sequence. 

Our system of equations will be as follows: 

— Variables involved : X\, ■■■X 2 n+m corresponding to the 2n-|-m bits generated 
by LFSR while producing 2n bits of output sequence. 

— 2n nonlinear equations, each equation over m variables, describing output 
bit in terms of m bits of the LFSR. These equations are formed using the 
feedforward function. We represent these equations in the form of onsets. 
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— n+m linear equations expressing each of the bits to X 2 n+m in terms of 
the previous n bits. These equations are formed using feedback function of 
LFSR. We represent these equations in the Algebraic Normal Form. 

Representing the linear equations also as onsets would bring uniformity of 
representation to the system but would constrain the feedback polynomial to 
have a low density (number of taps less than 10). 

4.2 Solving the System of Equations 

In our case we had a system of nonlinear equations (2n equations), and a sys- 
tem of linear equations (n-l-m equations) over the same set of variables (2n-|-m 
variables). Each nonlinear equation had 10 or fewer variables. There was no con- 
straint over the set of linear equations. We applied local reduction to the set of 
nonlinear equations. In case some onsets get reduced to singleton sets, we get 
the values of all the variables in that equation. For e.g. 

varlisti = {a,b,c),onseti = {011} 

Means that correct solution to the system has a=0, b=l and c=l. 

We substitute the values in both the nonlinear and linear system of equations. 
In case some linear equation gets reduced to an equation over a single variable, 
we can infer the value of the variable and substitute it back into the system of 
equations. We repeat this process local reduction followed by substitution again 
over the reduced system of equations. When no further reductions are possible, 
(and system is not yet solved) the reduced system of equations is saved and we 
perform tree search over the reduced onset space of the system. For this we first 
pick the equation with least number of points in the onset and then substitute 
values corresponding to each point in the onset. The new system obtained by the 
substitution is passed through the same process of local reduction followed by 
substitution. In case the substitution was correct, we get closer to our solution 
otherwise the system of equations leads to a contradiction. In that case we undo 
the substitution and try the next possible substitution. At every stage before 
applying local reduction we apply factoring out of common terms. The outline 
of this algorithm in pseudo code is given in Figure 2. 



5 Results 

The results of applying our algorithm to systems of nonlinear feedforward gener- 
ators of different parameters are given in Table 1. The results have been obtained 
on P-II 300MHz system with 64MB RAM. 

6 Conclusions 



A novel method of cryptanalysis of nonlinear feedforward generator has been 
described. This method is a known-plaintext attack and works even when just 
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Input: Feedback polynomial f of degree n. 

Feedforward function g of m variables and 
First 2n bits of the key sequence. 

Output : The initial content of the Shift register 

Making equations: 

The first 2n+m bits of the sequence generated by LFSR are 
considered as variables. We form two sets of equations. 

* n+m linear equations are formed based on f, describing the 
relationship between the 2n+m variables. 

* 2n nonlinear equations describing the given key sequence in 
terms of the variables 

The n+m linear equations are represented in ANF 
The nonlinear equations are taken in the form Fi = 1 
Internal representation of the nonlinear equation is in the 
form of sets. We store onsets, i.e. set of points at which 
Fi evaluates to 1. 

Pseudocode of the algorithm for solving the system of equations: - 

numvarfound =0 /* number of variables whose values are found */ 

WHILE numvarfound < n 

Apply removal of common factors, local reduction on set of 
nonlinear eqns . 

WHILE some variables are found DO 

Substitute the values found in all equations 
Apply removal of common factors, local reduction on set of 
nonlinear eqns 
END WHILE 

IF numvarfound > n BREAK /* tree search over reduced eqns */ 
Search for equations with least number of points in the onset. 
Try Substituting values as given by each point one by one. 

Check for consistency. 

IF not consistent, undo substitution. 

ELSE try solving the reduced system of equations 
END WHILE 

Make linear equations expressing the variables found in terms 
of first n variables. 

Solve system of the linear equations to get values of 
the first n variables. 

OUTPUT value of first n variables 



Fig. 2. Algorithm for Cryptanalysis of Nonlinear feedforward generator 



2n bits of the keysequence is available, where n is the length of the shift register. 
The implementation took few minutes to find initial settings of the system with 
128-degree polynomial and 10 variable feedforward function. 
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Table 1. Experimental Results 



Number of taps 
for NLFF 


Degree of 
Polynomial 


Time taken 


8 


64 


5.3s 


8 


64 


6.5s 


8 


71 


10.9s 


8 


128 


29.5s 


10 


128 


64.9s 



The basic idea of the attack is to express the generator using a set of non- 
linear boolean equations of a certain form so that they can be solved efficiently. 
We expressed the output of the feedforward generator using a system of equa- 
tions with limited number of variables per equation and lot of common variables 
between equations. Zakreviskij’s method was then used to solve the resulting 
system of Boolean equations. 

We believe that this method can be extended to attack other building blocks 
of cryptosystems also. 
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Abstract. We analyze the Gaudry-Hess-Smart (GHS) Weil descent at- 
tack on the elliptic curve discrete logarithm problem (ECDLP) for elliptic 
curves dehned over characteristic two finite helds of composite extension 
degree. For each such field F 2 iv, N £ [160, 600], we identify elliptic curve 
parameters such that (i) there should exist a cryptographically interest- 
ing elliptic curve E over F 2 JV with these parameters; and (ii) the GHS 
attack is more efficient for solving the ECDLP in E(F 2 iv) than for any 
other cryptographically interesting elliptic curve over ¥ 2 n . 



1 Introduction 

Let E be an elliptic curve defined over a finite field K = F 2 V. The elliptic 
curve discrete logarithm problem (ECDLP) in E{K) is: given E, P G E{K), 
r = ord(P) and Q G (P), find the integer A G [0,r — 1] such that Q = XP. We 
write A = logp Q. The ECDLP is of interest because its apparent intractability 
forms the basis for the security of elliptic curve cryptographic schemes. 

The elliptic curve parameters have to be carefully chosen in order to circum- 
vent some known attacks on the ECDLP. We say that an elliptic curve E over 
F 2 W is cryptographically interesting if: (i) #E(F 2 v) is almost prime — that is, 
#E(F 2 iv) = rd where r is prime and d G {2,4} — in order to avoid the Pohlig- 
Hellman [21] and Pollard’s rho [22,19] attacks; and (ii) r does not divide 2^^ — 1 
for each j G [1, J], where J is large enough so that it is computationally infeasi- 
ble to find discrete logarithms in F 2 ivj — in order to avoid the Weil pairing [17] 
and Tate pairing [7] attacks. 

Frey [6] first proposed using Weil descent as a means to reduce the ECDLP in 
elliptic curves over F 2 N to the discrete logarithm problem in an abelian variety 
over a proper subfield F 2 i of F 2 N. Frey’s method, which we refer to as the Weil 
descent attack methodology, was further elaborated by Galbraith and Smart [9]. 
In 2000, Gaudry, Hess and Smart (GHS) [11] showed how Frey’s methodology 
could be used (in most cases) to reduce any instance of the ECDLP to an instance 
of the discrete logarithm problem in the Jacobian of a hyperelliptic curve over 
F 2 i. Since subexponential-time algorithms for the hyperelliptic curve discrete 
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logarithm problem (HCDLP) are known, this could have important implications 
to the security of elliptic curve cryptographic schemes. 

The GHS attack was analyzed in [11,18]. It was proven to fail for all cryp- 
tographically interesting elliptic curves over F 2 N, where N G [160, 600] is prime. 
Namely, the hyperelliptic curves C produced either have genus too small (whence 
Jc{^ 2 ) is too small to yield any non-trivial information about the ECDLP in 
i?(F 2 iv)), or have genus too large {g > 2^® — 1, whence the HCDLP in Jc(F 2 ) 
is infeasible) . The purpose of this paper is to investigate the applicability of the 
GHS attack on the ECDLP for cryptographically interesting elliptic curves over 
F 2 iv for composite N G [160,600]. 

The paper is organized as follows. §2 provides a brief introduction to the 
relevant theory of hyperelliptic curves. The GHS Weil descent attack is outlined 
in §3, and an overview of the best methods known for solving the ECDLP and 
HCDLP is given in §4. Our analysis of the applicability of the GHS attack on 
the ECDLP over characteristic two finite fields of composite extension degree is 
presented in §5 and the Appendix. Our conclusions are stated in §6. 

2 Hyperelliptic Curves 

Hyperelliptic Curves. Let k=¥q denote the finite field of order q. The algebraic 
closure of F^ is A: = lJn>i ^ hyperelliptic curve C of genus g over k is defined 

by a non-singular equation -I- h{u)v = f{u), where h, f G k[u], deg / = 2^ -|- 1, 

and degh < g. Let L be an extension field of k. The set of L-rational points 
on C is C{L) = {(x,y) : x,y G L, y"^ + h{x)y = f{x)} U {00}. The opposite 
of P = (x,y) G C(L) is P = {x,—y — h{x))] we also define 00 = 00. Note that 
P G C{L). Except for the case g = 1 (since a genus 1 hyperelliptic curve is 
precisely an elliptic curve), there is no natural group law on the set of points 
C{L). Instead, one considers the Jacobian of C over k. 

Jacobian of a Hyperelliptic Curve. The set D® of degree zero divisors of C is 
the set of formal sums X)p6C(fc) "''^here mp G Z, '^mp = 0, and only 

a finite number of the mp’s are non-zero. D® is a group under the addition 
rule ^mpP + ^npP = ^{mp + np)P. Let u \ k ^ k he the Frobenius 
map defined hy x ^ x'^. The map a extends to C{k) by {x,y) i-^- (x'^,j/'^) 
and 00'^ 1 -^- 00, and to D® by ^mpP 1 — > ^mpP'^ . The set of zero divisors 
defined over fc is = {D G D® : = D}. The function field of C over 

k, denoted k{C), is the field of fractions of the integral domain of polynomial 
functions k[u, v\/{v'^ + h{u)v — f{u)). For / e k{C), the divisor of f is div(/) = 
J2pec(k) where up(/) denotes the multiplicity of P as a root of /. Now 

the set Priufc = |div(/) : / e k{C)} is a subgroup of P®. The Jacobian of C 
(over k) is the quotient group Jc{k) = P®/Priufc. 

Properties of the Jacobian. Jc{k) is a finite group. A theorem of Weil’s implies 
that {y/q— 1)^® < ffJc{k) < (v^+ 1)^®- If Pi and P 2 are in the same equiv- 
alence class of divisors in Jc{k) we write Pi ~ P 2 . Each equivalence class has 
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a unique divisor in reduced form, i.e., a divisor X^p^oo '^pP ~ (Xp^^^oo tpp)oo 
satisfying (i) mp > 0 for all P; (ii) if mp > 1 and P ^ P, then mp = 0; 
(iii) mp = 0 or 1 if P = P; and (iv) ^mp < g. Such a reduced divisor 
D can be uniquely represented by a pair of polynomials a,b € k[u] where 
(i) deg 6 < deg a < g-, (ii) a is monic; and (iii) a|(&^ + bh — /). We write 
D = div(a, h) to mean D = gcd(div(a), div(6 — v)) where the gcd of two divisors 
XiVoo '^pP ~ (T^ppoo mp)oo and Xp^^oo ^pP ~ (Ep^^oo np)oo is defined to 
be Xp^^oo min(TOp, np)P — if^pp^ min(mp, np))oo. The degree of D is deg a. 
Cantor’s algorithm [2] can be used to efficiently compute the sum of two reduced 
divisors, and express the sum in reduced form. 



Artin’s Bound. In the above, we only considered the imaginary form of a hy- 
perelliptic curve, and not the real form for which deg{f)=2g + 2 in the defining 
equation. Let C he a hyperelliptic curve (real or imaginary) of genus g over k=¥p 
with p an odd prime. Artin [1] showed that ffJc{k) = X^=o Xv if deg / = 2^+ 1, 
and ffJc{k) = - if deg / = 2^+2. Here, = XdegP=,. [f/P], where 

the summation is over all degree-i^ monic polynomials F S Fp[u] coprime to /, 
and [//P] is the polynomial Legendre symbol. We trivially have that \xu\ < p'' , 
and Artin showed that \xu\ < P® (0 < p < 2g) if deg / = 2g+l, and X 2 g+i = — P® 
and \xu\ < (1 < p < 2g) if deg f = 2g + 2. These results can be extended to 

the case fc = Fg, where q = and p is prime, by replacing the Artin character by 
the general quadratic character. Then ffJc{k) < ff9® + X^=o 9^ deg / = 2g+l, 
and #Jc{k) < {{2g + 1)^ — g{g + l))g® + X^=i ^9^ if deg f = 2g + 2. Since over 
constant fields of characteristic 2 the real case is strictly more general than the 
imaginary case (cf. [20]), we work with B 2 := ((25 + 1)^ — (?(5+l))(7® + X^=i 
as an upper bound on the cardinality of the Jacobian. Notice that the larger q 
is, the larger is the smallest genus g for which the Artin bound B 2 is indeed 
smaller than the Hasse-Weil upper bound Pi := {y/q+ 1)^®. 

3 Weil Descent Attack 

Let I and n be positive integers, N=ln, q=2\ k=¥q, and K=¥qn. Consider the 
elliptic curve E defined by +xy = + ax^ + b, a G K, b G K* . Gaudry, Hess 

and Smart [11] showed how Weil descent can be used to reduce the ECDLP in 
E{K) to a discrete logarithm problem in the Jacobian Jc{k) of a hyperelliptic 
curve C defined over k. One first constructs the Weil restriction Wpik of scalars 
of E, which is an n-dimensional abelian variety over k. Then, Wp/k is intersected 
with n— 1 hyperplanes to obtain the hyperelliptic curve C. We call their reduction 
algorithm the GHS attack on the ECDLP. The following is proven in [11]. 

Theorem 1 (Gaudry, Hess and Smart [11]) Let q = 2^ and let E : y^ + 
xy = x^ + ax'^ + 6 be an elliptic curve defined over K = Fg« . Let a : K ^ K 
be the Frobenius automorphism defined by a and let bi = cr*(&) for 

0 < z < n — 1. Let the magic number for E relative to n he m = m{b) = 
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dimp^(Span]pJ(l,6y^),(l,6y^),...,(l,6y_^i)}). Assume that 

n is odd, or m{b) = n, or = 0- (1) 

Then the GHS attack constructs an explicit group homomorphism (j) : E(¥qn) —>■ 
Jc(Fg), where C is a hyperelliptic curve over of genus g = 2"*“^ or 2'"“^ — 1. 

Remark 2 {solving ECDLP instances in if(Fqn)) Assume now that #if(Fqn) 
is almost prime, i.e., ^E{¥qn.) = rd where r is prime and d is small. In [11] it is 
argued that it is highly unlikely that the kernel of (j) will contain the subgroup 
of order r of if(Fgn) unless E is defined over a proper subfield of F^n. Thus, </> 
can be used to reduce instances of the ECDLP in [P), where P is a point of 
order r in E{¥gn), to instances of the HCDLP in Jc(Fg). Namely, given P and 
Q e (P), then logp Q = log,^(p) (j){Q). 

Remark 3 {efficiency of determining C and computing 4>) The running time 
complexity of the algorithm presented in [11] for finding the defining equation 
of C and for computing (j) has not been determined. However, if ng is relatively 
small, say ng < 1000, our extensive experiments suggest that Hess’s KASH im- 
plementation [12,3] of the algorithm takes at most a few hours on a workstation. 

The formula for m in Theorem 1 was analyzed in [18] and Theorem 5 was 
obtained. We first need to define the type of an element of F^n. 

Definition 4 Let n = 2®ni where ni is odd. Let ft, = 2® and x" — 1 = 
(/o/i---/s)^ where /o = x — 1 and the ffs are distinct irreducible polyno- 
mials over F 2 with deg(/i) = di and 1 = do < di < d 2 < ■ ■ ■ < dg- For b G F,n, 
let Ordb(x) be the unique monic polynomial / G F 2 [x] of least degree such that 
/(ct) 6 = 0; we have Ordb(a;)|x" — 1. For each i G [0, s], let ji be the largest power 
of fi which divides Ord{,(a;). The type of b is defined to be (jo, Ji, • ■ • , js)- 

Theorem 5 ([18]) Let b G F,n have type (jo, ji, ■ ■ ■ , js). 

(i) Then m(ft) = X)i=o where c = 1 if jo = 0, and c = 0 if jo yf 0. 

(ii) There are ~ elements of type (jo, ji, • ■ • , js) in F,n. 

Lemma 6 asserts that condition (1) of Theorem 1 can be weakened. 

Lemma 6 Let E/¥gn be an elliptic curve defined by the equation y'^ + xy = 
x^ + ax^ + b where ft G F^n has type (jo, ji, ■ • ■ , js)- In Theorem 1, condition (1) 
can be replaced by the following, weaker, condition: 

n is odd, or 2^ = jo, or Tr^^]p^(a) = 0. (2) 

Proof: Observe first that if n is even and m{b) = n, then ft must be of type 
(2®,..., 2®) so that 2® = jo- Thus, (1) indeed implies (2). Now, let f = {x — 
1)'^ rii=o where c = 1 if jo = 0, and c = 0 if jo yf 0. (This function has to 

replace the function / incorrectly defined in the proof of Lemma 11 in [11].) Let 
ft = (x" — 1)//. From the proof of Lemma 11 in [11] it follows that Theorem 
1 is true if Tr^/jp^(a) = 0 or Tr^^]p.^(a) -k ft(l) = 0. Thus, if Tr^^jp^(a) = 1, 
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Theorem 1 is true if = 1. Since a;" — 1 = — 1)^ = (x — 1)^ • k with 

fc(l) = 1, we have h{l) = 1 if and only if (x — 1)^” divides /. Since the latter is 

true if and only if n is odd or 2® = jo, the lemma is established. □ 

There are 2^+^ — 2 isomorphism classes of elliptic curves over F 2 at with 
representatives + xy = + b, y^ + xy = x^ + ax^ + b, where b G F^jv and 

a € F 2 N is a fixed element with Trjp ~ number / of isomorphism 

classes of elliptic curves over F 2 N with a given magic number m relative to n 
and satisfying (2) can be efficiently computed using the following. 

Lemma 7 Let n and m G [1, n] be fixed. Let Cij = for 0 < z < s 

and 1 < j < ft.. Let Fq{z) = 2(z + cojz^) if n is odd, and ^ 0 ( 2 :) = 

z + + 2co,?iZ^ if n is even, Ti(z) = 1 + for 1 < z < 

s, and F{z) = Tb(z)ni= _-^Fi{z). Then the number of isomorphism classes of 
elliptic curves over F 2 iv with magic number m relative to n and satisfying (2) is 
I = \z'^]F{z) where [ ] denotes the coefficient operator. 

Proof: Follows immediately from Theorem 5 and Lemma 6. □ 

4 Algorithms for the ECDLP and HCDLP 

ECDLP. Let E/F 2 N be a cryptographically interesting elliptic curve, and let 
r be the large prime divisor of #E(F 2 n). Then Pollard’s rho algorithm [22] 
for solving the ECDLP in the subgroup of order r of E(F 2 iv) has an expected 
running time of {^/wr)l2 elliptic curve additions. Since E is cryptographically 
interesting, r « 2^^“^ (taking into account that there is always a cofactor at least 
2). We henceforth use (\/ tt2^~^)/2 to express the running time of Pollard’s rho 
algorithm. Note that the algorithm can be effectively parallelized (see [19]) so 
that its expected running time on a network of S processors is {^/ -k2^ ~^) / {2S) . 

HCDLP. Let C be a genus g hyperelliptic curve over k = Fg. The HCDLP 
is the following: given C, Di G Jc{k), r = ord(Di), and D 2 G (Di), find the 
integer A G [0,r — 1] such that E 2 = \Di. We shall assume that r is prime. We 
describe the Enge-Gaudry (EG) index-calculus algorithm [10,4] for the HCDLP. 

A reduced divisor D = div(a, &) G Jc{k) is called a prime divisor if a is 
irreducible over k. Each reduced divisor D = div(a, b) G Jc{k) can be expressed 
as a sum of prime divisors as follows: if o = is the factorization of a 

into monic irreducibles over k, then D = Cidiv(ai, bi) where bi = b mod Oj 

for all z G [1,L]. Such a D is said to be t-smooth if max{degOi} < t. 

In the Enge-Gaudry algorithm, a smoothness bound t is first chosen. Next, 
the factor base {Pi, P 2 , ■ . . , Pw} is constructed — for each prime divisor D = 
div(a, b) of degree < t, exactly one of D and —D is included in the factor 
base. Then, a random walk (a la Teske [24]) is performed in the set of re- 
duced divisors equivalent to divisors of the form aD\ + (3D2 and the t-smooth 
divisors encountered in this walk are stored — each t-smooth divisor yields a 
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relation aiDi + f3iD2 ^ Ri = ^jSijPj. When w+5 different relations have 
been found, one can find by linear algebra modulo r a non-trivial linear com- 
bination 7»(eii, Ci 2 , ■ ■ ■ , e™) = (0, 0, . . . , 0). Thus = 0. whence 

X IticeiDi + l3iD2) = 0 and log^,^ £>2 = -(X 7*ai)/(X lA) “od r. 

The EG algorithm has a subexponential-time running time of 0(exp((-\/2 -|- 
o( 1 ) ) -\/log g® log log qs)) bit operations for g/\ogq ^ oo. In [14], the following 
non-asymptotic analysis of the running time for the relation gathering stage was 
given. A good approximation for the number Ai of prime divisors of degree I 
in the factor base is A; « j Xd|; K^d)q'^), where g is the Mobius function. 
The factor base size w is therefore well approximated by F{t) = By 

[14, Lemma 2], the number of t-smooth reduced divisors in Jc{k) is M{t) = 

where [ ] denotes the coefficient operator. Under the 
heuristic assumption that the proportion of t-smooth divisors in (Di) is the 
same as the proportion of t-smooth divisors in the full group Jc{k), the expected 
number of random walk iterations before a t-smooth divisor is encountered is 
= ^Jc{k)/M{t). Finally, the expected number of random walk iterations 
before F{t) + 5 relations are generated is T{t) = (F{t) + 5)E{t). 



5 Analysis 

For each composite N G [160, 600], we determine and compare the running times 
for solving the ECDLP in a (potentially) cryptographically interesting elliptic 
curve over F 2 N using the GHS attack and Pollard’s rho method. We express 
the running times for Pollard’s rho method and the GHS attack in terms of 
elliptic curve operations and in terms of random walk iterations in the Jacobian, 
respectively, as outlined in §4. In particular, we do not consider the different 
bit complexities of operations for elliptic and hyperelliptic curves since these are 
expected to be roughly the same. Furthermore, we do not take into account the 
time spent on mapping the EGDLP instance to a HGDLP instance, and the time 
spent on the linear algebra stage of the Enge-Gaudry index-calculus algorithm. 

For each composite N G [160, 600], Algorithm 9 determines the elliptic curve 
parameters (in terms of n, m and g) such that (i) there should (cf. Remark 19) 
exist a cryptographically interesting elliptic curve E over F 2 N with these pa- 
rameters; and (ii) the GHS attack is more efficient for solving the EGDLP in 
F(F 2 iv) than for solving the EGDLP on any other cryptographically interesting 
elliptic curve over F 2 n. For each such set of parameters {n,m,g), we list the 
number I of isomorphism classes of elliptic curves over F 2 n that have magic 
number m relative to n and satisfy (2), the optimal smoothness bound t for the 
Enge-Gaudry algorithm, and the resulting estimates for the factor base size F{t) 
and the (minimized) running time T(t) in terms of random walk iterations. 

Remark 8 {EGl versus EG2) In Algorithm 9, two variants of the Enge-Gaudry 
algorithm are considered. The first variant, denoted by EGl, only works with a 
factor base whose size is upper bounded by 10^ « 2^^, while the second variant, 
denoted by EG2, does not assume any upper bound on the factor base size. Note 
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that a factor base of size lO”^ is on the edge of what is considered feasible today 
[15,16]. If Ai = 2*“^ > lO"^ for some hyperelliptic curve of genus g over F 2 i, 
then, in order to achieve a factor base size < 10^, the Enge-Gaudry algorithm 
can be modified by selecting the factor base to consist of only a proportion i of 
all prime divisors of degree 1 [11]. However, the expected time to find a smooth 
divisor will be increased by a factor of e®. Therefore, we decided not to consider 
this modification in our analysis. If the factor base size for EG2 is significantly 
larger than 10^, then the EG2 algorithm is not currently practical. Nevertheless, 
we feel that listing the optimum times for EG2 is important because they will 
become relevant should improvements be made in the future to algorithms for 
solving sparse linear systems. 

Algorithm 9 {Computing optimal {n,m, g,t, F,T)) 

Input: N, “EGl” or “EG2”. 

Output: Parameters n, m, g for which there may exist an elliptic curve that is 
cryptographically interesting and whose EGDLP is most easily solved with the 
GHS attack; optimal smoothness bound t; (estimated) factor base size F; and 
(estimated) expected running time T in terms of random walk iterations. 

1. For all divisors n > 2 of A do the following: 

(a) Set l^N/n and q^2‘. 

(b) { For EGl: The 10^ bound on factor base size must be violated if Ai = 
2^“^ > 10^. } Gase EGl: If ? > 25 then set T„^oo and go to step I. 

(c) Write n = n\h where = 2® and n\ is odd. 

(d) { Gompute the degrees of the irreducible factors of — 1 over F 2 . } 
Let the cyclotomic cosets of 2 modulo n\ have sizes I = do < di - ■ ■ < ds- 

(e) { Gompute a lower bound m! on magic number m relative to n that 
yields a large enough Jacobian (cf. Remark 10). } 

For to' = 2, 3, . . . , n do the following: 

i. Set g^T^'~^ — 1. Gompute Hi, B 2 as defined in §2. 

ii. If minjlog^ Hi,log 2 B 2 } > N — 3 then go to step 1(f). 

iii. Set Gompute Hi, H 2 as defined in §2. 

iv. If min{log 2 Hi,log 2 H 2 } > N — 3 then go to step 1(f). 

(f) { Find the smallest admissible to relative to n (cf. Theorem 5). } 

For TO = to', to' + 1, . . . , n do the following: 

If TO can be written in the form X)i=o with 0 < ji < h, jo > I, then: 
{ Gheck that the sufficient conditions of Lemma 12 (for every elliptic 
curve over F 2 JV having magic number to relative to n to be defined 
over a proper subfield F 2 M of F 2 iv for some /i > 3) are violated. } 

If n is a power of 2, set d^oo] else set d^d\. 

If [to > d or TO > 2®] or [d = 00 and to > 2®“^] then go to step 1(g). 

(g) If TO > to' then set g^2™~^ — 1. 

(h) { If the size of the Jacobian is not too large, i.e., if gl < 4096 (cf. 
Remark 14), then find the optimum smoothness bound t for the Enge- 
Gaudry algorithm using the formulas at the end of §4 to estimate the 
factor base size F{t), the expected running time E{t) to find a smooth 
divisor with jj^JciVq) = 2®^, and the expected running time T{t). } 

If gl > 4097 then set T„<— 00 . Else: 
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i. Case EGl: Set 5'^{1 < t < 120 : F{t) < 10^}. 

Case EG2: Set S^{1, 2,..., 120}. 

ii. Let t be the index in S which minimizes T(t). 

hi. Set m„^m, gn^g, T„^T(t„). 

2. If = oo for all n, output “gl > 4097 for all n”. Else, let n be the index 
for which T„ is a minimum and output “(n, m„, F„, T„)” . 

Remark 10 {explanation of the lower bound on log 2 i?i and log 2 S 2 in step 
1(e) of Algorithm 9) If we restrict our attention to cryptographically interesting 
elliptic curves E over F2N with f(E{¥ 2 N) = dr, where d G {2,4} and r is 
prime, then r > ^;^if(F2iv)/4 > (2^/^ — 1)^/4 > 2'^“^/4 = 2^“^4 for fV > 4. 
Thus, if the hyperelliptic curve C over F^ generated by the CHS reduction has 
genus g, then a necessary condition for Jc(Fq) to have a subgroup of order r is 
min(Si,B2) >#Jc(F,) >2^-3. 

Remark 11 {explanation of step 1(f) of Algorithm 9) There are some {N,l,g) 
parameters for which elliptic curves over F2N with parameters {I, g) do exist, but 
none of which are cryptographically interesting. For example, if fV = 160, the 
ECDLP is most easily solved with the CHS attack if {n,l,m,g) = (8,20,4,8). 
Then, for the attack to work (cf. condition (2) in Lemma 6), we need Tr^y]p^(a) = 
0, i.e., without loss of generality, a = 0. Now, consider an elliptic curve E : 
+ xg = x^ + b over F2160 that yields magic number to = 4 on performing the 
CHS attack with n = 8. We have x” — 1 = (x — 1)®, and hence (cr — 1)"‘6 = 0 
where a : F2160 ^ F2160 is defined by a . That is, 5 G F280, which implies 

that #E(F28 o) divides #E(F2ieo). Hence E is not cryptographically interesting. 
The next easiest instance of an ECDLP over F2160 for which a cryptographically 
interesting curve can exist is {n,l,m,g) = (20,8,6,31). Such a phenomenon al- 
ways occurs when (n, to) = ( 8, 4) are the CHS parameters for which the ECDLP 
is most easily solved, which is the case for N = 176, 184, 192 and many other N 
divisible by 8. But also for N = 224 where (n, to) = (32, 6) would be best we find 
that #E(F256) must divide #E(F2224) for any elliptic curve with these parame- 
ters. Another example is = 304 where (n, to) = (16, 5) would be optimal — here 
we find that ffE(¥230i) must be divisible by ffE(¥2332). 

Lemma 12 generalizes the observations made in Remark 11. 

Lemma 12 Let E /F^n be an elliptic curve defined by the equation g"^ + xg = 
x® -I- ax“^ + b, where b G F^n has type (jo, ji, • . • ,js)- Suppose that (2) holds. 
Let n = ni2® where ni is odd. If n is a power of 2, then let d = 00; otherwise, 
let d = d\ = minjdi : 1 < t < s}. Let to = m{b) be as in Theorem 1. Let 
H = 2b°S2 ^ i.e., the smallest power of 2 greater than or equal to to. 

(i) If TO < d and to < 2®, then E is defined over F^^ and hence )(E{¥gn) is 
divisible by )(E{¥qiJ,). 

(ii) If TO < d and to = 2® and n/g is odd, then E is (isomorphic to a curve) 
defined over F^,* and hence #E(Fqn) is divisible by f(E{¥q^). 
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Proof: 

(i) Assume that m < d and m < 2®. Then h must have type (m, 0, 

and n is even and 2® ^ jo- The former implies that b G B = {b G F^n : 
(a + 1)™(6) = 0} \ {6 G Fgn : (a + = 0}. Let m_ = ^/2, i.e., the 

largest power of 2 strictly less than m. Then B C Fg^ \F^m- . Since n is even 
and 2® yf jg, we require Tr^y]p^(a) = 0 for Lemma 6 to hold. Thus, without 
loss of generality, a = 0. Thus, E is defined over Fg^ but not over any proper 
subfield of FgM . 

(ii) Now assume that m < d and m = 2® and n//i is odd. Then, as before, 

b G FgM \ F,jm- . Since m = 2®, both Tr^^jp^(a) = 0,1 are possible. Now, 
Ti'ic/F 2 ('=) = (WM)Trp^^/F 2 (^) ^ G F,^. Since n/^ is odd, Tr^^jpJc) = 

TrF there exists c G F^^ such that Tr^y]p^(c) = 1. Therefore, 

both for Tr^^jp^ (a) = 0 and Tr^yjp^ (a) = 1 there exists a curve isomorphic 
to E that is defined over F^^ but not over any proper subfield of F^m . □ 

Corollary 13 If n is a power of 2 and n/4 < m < n/2, then E is defined over 
F ^„/2 and hence #if(Fgn) is divisible by #if(F^„/ 2 ). 

Remark 14 {restriction on gl in step 1(h) of Algorithm 9) For g > 4097 we 
were unable to compute the expected running time of EG1/EG2 because of 
computational limitations when computing Taylor series expansions needed to 
evaluate M{t). We therefore ignore all instances (n, I, g) where gl > 4097. Notice 
that in this case the Jacobian Jc(Fg) has size at least 2'*°®’^ whence any (crypto- 
graphically interesting) HGDLP instance in Jc(Fg) is infeasible using the known 
index-calculus type algorithms. In particular, if ^ = 1 and g = 4095, the smallest 
running time for EG2 is with t = 120 and amounts to « 2^°^ random walk 
iterations, which is more than the expected number of elliptic curve operations 
using Pollard’s rho method for N = 600. 

The outputs of Algorithm 9 with composite N G [160, 600] as inputs are listed 
in Appendix A. In these tables, the entries for I, F, T, and p are the logarithms 
(base 2, rounded to the nearest integer) of the number of isomorphism classes of 
elliptic curves with magic number m relative to n and satisfying (2), the factor 
base size, the expected number of random walk iterations in the Enge-Gaudry 
algorithm, and the number of elliptic curve operations in Pollard’s rho method, 
respectively. D1 and D2 denote the differences p — T (if positive) for EGl and 
EG2, respectively. If for some N data is given for EG2 but not for EGl, we are 
in the situation that gl > 4097 for all divisors I < 24 of (such as for N = 164 
and 166). If for some N data is given for neither EGl nor EG2, we are in the 
situation that gl > 4097 for all I dividing N. The latter occurs for only 5 values 
of N: 289, 323, 361, 493 and 551. 

Remark 15 {further limitations of our analysis) Our analysis yields the same 
running times whenever {g^l) are the same, independently of N (e.g., T = 53 
when {g,l) = (15,13) for both N = 130 and N = 195 — see Appendix A). 
This is because the running time of the Enge-Gaudry algorithm is computed 
under the assumption that ffJcf^q) ~ = 2®b However, we only expect that 
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#Jc(Fq) is divisible by the large prime that divides #S(Fgn). Hence if gl ^ N, 
it may well be the case that the Jacobian obtained from Weil descent is much 
smaller in size than g®, which would then lead to a significantly smaller value 
and hence also to a significantly smaller running time 
T(t). This observation is particularly meaningful where I = 1, in which case 
the Hasse-Weil lower bound (-\/2 — < ^Jc(¥ 2 ) is trivial. For example, if 

(l,g) = (1,255), we have T = 2^^ for EGl and T = 2 “ for EG2, for N = 
117, 153, 170, 171, 187, 190, etc., 270, 273. Thus, caution must be exercised when 
interpreting our data for those N where gl ^ N. Nevertheless, if gl « N, our 
running time estimates are precise. 

Remark 16 {success of the GHS attack) There are some composite N G [160, 
600] for which the GHS attack succeeds on some cryptographically interesting 
elliptic curves over F 2 N. That is, Pollard’s rho algorithm is infeasible for solv- 
ing the EGDLP on these curves, and the GHS attack is successful in reducing 
instances of the EGDLP on these curves to instances of the HGDLP which are 
solvable using known algorithms and existing computer technology. Examples of 
such are = 161, 180, 186, 217, 248, 300h 

Remark 17 {failure of the GHS attack) We can conclude that for those com- 
posite N G [160, 600] for which no values are entered for EGl, the GHS attack 
does not reduce the level of security offered — Pollard’s rho method is the faster 
algorithm for all elliptic curves over F 2 N. In particular, this is true for N = 185, 
which is of practical significance because a specific elliptic curve over F 2185 is 
listed in the IETF standard [13] for key establishment. We emphasize that our 
statements about the failure of the GHS attack for all elliptic curves over some 
field F 2 iv are under the assumption that the Enge-Gaudry algorithm is essen- 
tially the best index-calculus algorithm for the HGDLP, and, in particular, that 
the linear algebra stage is intractable if the factor base size is greater than 10 ^. 

Remark 18 {effectiveness of the GHS attack) When D1 > 0 for some composite 
N G [160, 600], the level of security offered by some cryptographically interesting 
elliptic curves defined over F 2 at may be reduced due to the GHS attack. However, 
note that our data corresponds to elliptic curves with least possible magic num- 
bers and genera, and only a small proportion of elliptic curves yield this minimal 
magic number. For example, if A^ = 161, then only « 2®^ out of « 2^®^ elliptic 
curves over F 2161 have magic number m = 4 relative to n = 7. Gorrespondingly, 
for N = 165 the proportion of elliptic curves with magic number m = 5 relative 
to n = 15 is only « 2^® out of 2^®®, whereas for N = 162, the proportion of curves 
having magic number m = 7 relative to n = 54 is even smaller, namely « 2^^ 
out of 2^®®. Galbraith, Hess and Smart [8] presented an algorithm with expected 

^ We have computed explicit EGDLP instances (i.e., the elliptic curve equations and 
points) over these six fields and the HGDLP instances (i.e., the hyperelliptic curve 
equations and divisors) they are mapped to under the GHS attack. These instances 
have not been included here due to space constraints. 
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average running time of for explicitly computing an isogeny between 

two isogenous elliptic curve over F^n. (Two elliptic curves i?i/Fgn and 
are said to be isogenous over F^n if :^Ei{Fgrx) = :^E 2 {Fqn).) They observed 
that this algorithm can be used to extend the effectiveness of the GHS attack. 
Namely, given an ECDLP instance on some cryptographically interesting elliptic 
curve Ei/¥ 2 n, one can check if Ei is isogenous to some elliptic curve E 2 /F 2 N 
which yields an easier HCDLP than Ei, and then use an isogeny (p : Ei ^ E 2 
to map the ECDLP instance to an instance of the ECDLP in E 2 (F 2 iv). For ex- 
ample, in the case N = 165, we can expect that roughly 2^^® out of 2^®® elliptic 
curves over F 2165 are isogenous to one of the « 2 ®® elliptic curves over F 2165 
having magic number m = 5 relative to n = 15. Note, however, that finding a 
curve with m = 5 isogenous to a given elliptic curve over F 2165 (assuming that 
such an isogenous curve exists) may be difficult as one essentially has to search 
through the entire set of 2®® curves. 

Remark 19 {finding cryptographically interesting elliptic curves with given 
{N,l,m) parameters) One can attempt to find a cryptographically interesting 
elliptic curve with given {N,l,m) parameters as follows. First select arbitrary b 
from the set B = {b G F 2 N : m{b) = m}; that the elements of B can be efficiently 
enumerated can be seen from Theorem 5(i). Next, compute El = ffEb{¥ 2 ’^) 
where E^ : y"^ + xy = + b using Satoh’s algorithm [23,5], and test if either 

H or 2^+^ + 2 — H (the order of the twist of Ef) is almost a prime. Observe 
that \i b G B, then b^ G B. Moreover, Ei, and Ei ,2 are isogenous over F 2 N. 
Thus, if b G B has already been tested, then one should not select b^ for any 
1 < t < TV — 1. Now, it is known that the order of a randomly selected elliptic 
curve over F 2 N is roughly uniformly distributed over the even integers in the 
Hasse interval [(2^/^ — 1)^, (2^/^ -I- 1)^]. Thus, if the set B has sufficiently large 
cardinality (which can be determined from Lemma 7), then we can expect to 
quickly find an elliptic curve of almost prime order. 

6 Conclusions 

We analyzed the GHS Weil descent attack on the ECDLP for elliptic curves 
defined over characteristic two finite fields F 2 iv of composite extension degree 
N e [160,600]. For some such fields, there are cryptographically interesting 
elliptic curves over F 2 n where the ECDLP succumbs to the GHS attack. For 
other such fields F 2 N , our results demonstrate that there are no cryptographically 
interesting elliptic curves over F 2 N for which the GHS attack yields an ECDLP 
solver that is faster than Pollard’s rho method. 

We stress that any statement we have made regarding the failure of the 
GHS attack on some elliptic curves over some field F 2 iv is dependent on the 
assumption that the Enge-Gaudry algorithm cannot be significantly improved, 
and, in particular, that the linear algebra stage is intractable if the factor base 
size is greater than lO"^. Also, we stress that failure of the GHS attack does not 
imply failure of the Weil descent methodology — there may be other useful curves 
which lie on the Weil restriction WEjk that were not constructed by the GHS 
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method. We thus hope that our work can serve as a stimulus for further work on 
the Weil descent method, on subexponential-time index-calculus methods for the 
HCDLP, and on algorithms for solving large systems of sparse linear equations. 
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Abstract. Imai and Matsumoto introduced alternative algebraic meth- 
ods for constructing public key cryptosystems. An obvious advantage of 
theses public key cryptosystems is that the private side computations 
can be made very efficient with a simple hardware. Almost all of these 
proposals and variants of them were broken. However, scheme “B” in [3] 
is still unbroken. In this paper we show some statistical weaknesses of 
this scheme. In particular, we show that trying to minimize the size of 
the public key facilitates a cryptanalytic attack that enables the crypt- 
analyst to decrypt, with high probability of success, a given ciphertext 
by performing a very limited number of encryption operations using the 
public encryption function. 

Keywords: Public-key cryptosystems , cryptanalysis, Imai and Mat- 
sumoto asymmetric cryptosystems 



1 Introduction 

Public key cryptosystems based on integer factorization and discrete log prob- 
lem, such as RSA and ElGamal [7] , need to perform a large amount of arithmetic 
operations, so they are not very efficient compared to symmetric key cryptosys- 
tems such as DES. Imai and Matsumoto [3] [6] and Matsumoto et. al. [5] intro- 
duced alternative algebraic methods for constructing public key cryptosystems. 
An obvious advantage of theses public key cryptosystems is that the private side 
computations (decrypting and signing) can be made very efficient with a simple 
hardware. Almost all of these proposals and variants of them were broken (see 
[1], [2], [8], [9] [10] [11] [12]). However, as noted in [2], scheme “B” in [3], which 
was originally proposed by Matsumoto et. al. in [5] is still unbroken. In this 
paper we introduce a piecewise affine approximation attack on this scheme and 
show that it is insecure. 
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Fig. 1. The basic idea of Imai and Matsumoto Scheme B 



2 Description of Scheme “B” in [3] 

For a given block length n, the encryption function of Scheme “B” in [3] is 
composed of 

L10/0L2 ( 1 ) 

where Li and L 2 are two secret bijective linear mappings over GF'(2)" and 

= I + c - l)mod(2” - 1) + 1, a; yf 0 ^2) 

where c is a secret positive integer whose binary representation has small Ham- 
ming weight, wt(c). The main reason to choose c with a small Hamming weight 
is to reduce the size of the public key [3] . The encryption of x is given by 

Enc{x) = L 2 {f{Li{x))). 

The private key is Li, L 2 and c. The public key is an AND-XOR array pattern for 
the TO-tuple of m-variate sparse polynomials over GF(2) representing the com- 
posite function Enc{-). As mentioned above, small values for wt{c) is required 
to reduce the public key size. This restriction is the basic motive for our attack. 
The security of this scheme (see Figure 1) relies on the fact that the transfor- 
mations Li, L 2 and / operate on two different algebraic structures (GF(2)" and 
the non-negative set of integers < 2”) . Thus the Enc~^{-) is assumed to have 
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a complex representation when considered as a mapping over only one of these 
two structures. In other words, it is assumed that it is difficult to obtain any 
simple algebraic description for the function Enc~^{-) given only the AND-XOR 
array of the function Enc{-). The size of the public and secret key bits and the 
complexity of the encryption and decryption operations are all O(n^). 



3 Observations 

Our attack is based on the following observation 

Observation 1 For a small Hamming weight of c, the piecewise affine approx- 
imation of the function f in equation (2) has small number of affine segments 
over GF(2)" compared to that of a randomly selected bijective mapping. More- 
over, most of the points belong to a small number of segments, i.e., a small 
number of segments is enough to achieve a good approximation accuracy. 

Example 1. Let n = 8 and c = 3 with Hamming weight 2. Then for a; yf 0, 
the binary representation of / belong to one of the following piecewise affine 
functions 

li{x) = x®di 

where d^ G {3,5,7,13,15,29,31,61,63,125,127,252,253,255}. The number of 
points on each segment is shown in Table 1. It is clear that the approximation 
accuracy using the first two constants is about 50%. Using the first 8 constants 
the accuracy increases to about 94%. 



Table 1. The affine constants for Example 1 



c 


5 


3 


7 


13 


29 


15 


61 


31 


63 
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252 


253 


127 


255 
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64 


63 


32 


32 


16 


16 
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4 


4 


3 


2 


2 


1 



Example 2. Let n = 16 and c = 1056 with Hamming weight 2, then more than 
90% of the points corresponding to the binary representation of the function 
belong to one of the following the affine segments 

k{x) = x®di, 



where 

d* G {15456, 2016, 3040, 31776, 3552, 7392, 1504, 
15392, 3296, 7264, 1248, 3168, 7200, 1120, 3104, 1056}. 



Table 2 shows the expected number of segments for n = 8, 10, 12. The average 
number of segments for a randomly selected bijective mapping (obtained by our 
experiments) is around 176, 690 and 2778 for n = 8, 10 and 12 respectively. In 
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Table 2. Average Number of Segments in the piecewise approximation of / 



wt(c) 
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10 


11 
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n=8 
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19 


28 


31.63 


28 


19 
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1 










n=10 


11 


27.33 


47.5 


64.43 


71.06 


64.43 


47.5 


27.33 


11 


1 






n=12 


13 


37 


73.4 


114.4 


147.17 


159.72 


147.17 


114.4 


73.4 


37 


13 


1 



all of our experiments with small values of wt{c), there always exists an affine 
relation satisfied by > — 1 points. 

Using Observation 1 the Encryption function (and consequently the decryp- 
tion function) can be divided into M affine segments Enci(-), i = 1,2, •••M 
where Enci{x) given by 

Enci{x) = L 2 {Li{x) 0 di) = L 2 Li{x) 0 6*, 

and bi = L 2 {di),i = 1, 2, • • • M. Thus for any specific Li, L 2 , c, the input (plain- 
text) space can be partitioned into M sets such that the ciphertext Y of each 
set is related to the plaintext X by an affine relation 



Y = AX®bi, 



where A = L 20 LI. The expected value of M is small for c with small Hamming 
weight. 

Remark 1. Probabilistic interpolation attacks [4] based on Sudan’s algorithm 
[13], which operates over GE(2”), cannot be used to recover these affine segments 
since the affine function over GF(2)" will have a high degree when considered 
as a function over GF(2") [14]. 

In the following, we will describe the basic step in the attack. We use a differential- 
like attack to group pairs that belong to the same segment. Figure 2 shows the 
algorithm that enables us to do so. We pick random triples i?i, i ?2 and i ?3 and 
test for the condition 

Enc{R\) 0 Enc{R 2 ) 0 Enc{R^) 0 Enc{{R^ 0 {R\ 0 i? 2 ))) = 0. 

This condition is satisfied if R\,R2, R3 and R1 0 R2 0 i?3 are all on one affine 
segment. Since there is no guarantee that R 3 , (i ?3 0 (i?i 0 R 2 )) will belong to 
segment Si even if Ri and R 2 do, we repeat the test for different values of i ?3 
{Trials in Figure 2). We decide that Ri and R 2 belong to the same segment if the 
equation above is satisfied for a large number of times {Threshold in Figure 2). 
To prevent the algorithm from accepting wrong pairs we may increase the value of 
Trials and make the value of Threshold very close to Trials. However, very large 
values for Trials increases the number of plaintext-ciphertext pairs required to 
break the algorithm. Throughout our experiments, we set Threshold = Trials. 

One can prove that the plaintext that belong to the same linear segment are 
not linearly independent and hence the matrix A cannot be uniquely determined 
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1. Ri — RandomQ 

2. R 2 ~ RandomQ) 

3. pass — 0 

4 . 5^ = Ri® R 2 

5. for i = 1 to i = Trials 

6. { 

7. Rs — RandomQ 

8 . Ri — Rs © 

9 . 5y = Enc(R\) © Enc{R 2 ) © Enc{R-i) © Enc{Ri) 

10. if {5y = 0) increment pass 

11 } 

12 if(pass > Threshold) Declare Ri and R 2 € same set 
Fig. 2. The Basic Step in the Attack 



by collecting plaintext-ciphertext pairs on one segment. In fact, our experiments 
show that the matrix A cannot be uniquely determined by any reasonable num- 
ber of queries to the encryption function. So our attack doesn’t try to find such 
unique solution for A. 



4 The Attack 

Let Xi,X 2 be on the same affine segment Si. Then 

Enc{xi) © Enc{x 2 ) = Axi © © Ax 2 (B h = A{x\ © X 2 ) 

which is independent of the segment they belong to and depends only on the 
difference {xi © X 2 ). Our attack proceeds as follows: 

1. Use the basic step in Figure 2 to pick any two plaintext points (x,x © Sx) 
that are on the same segment. Collect enough number of (Sx,Sy) pairs for 
linearly independent S^’s. 

2. Solve for the matrix B that satisfy the linear relation 

Sx — By. Sy 

The coverage of the attack (i.e., the probability of being able to decrypt 
a random ciphertext) increases exponentially with the number of pairs col- 
lected in step 1. {Remark. Note that (£ 2 ^ 1 )“^ is not the only valid solution 
for B). 

After determining this linear relation between Sx’s and Sy’s we can decrypt any 
given ciphertext u as follows: 



1 . Pick random x and assume that it is on the same segment with Dec{u) . 
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2. Calculate 

TrialDec{u) = x® B x (u 0 Enc{x)) (3) 

3. Using the public encryption function, verify if Enc(TrialDec{u)) = u. 

If yes, then we have found Dec(u). If no, then pick a different x and repeat the 
steps above. 

Relation 3 holds if x and Dec{u) belong to the same segment and this happens 
with high probability because we have a small number of segments. 

One should note that deriving an accurate theoretical estimate for the num- 
ber of encryption operations required to achieve certain coverage is difficult 
because the Enc{-) function doesn’t behave like a random function. Table 3 
and Table 4 show the result of some of our experiments for wt{c) = 1,2 and 
n = 16, 18, 20. The tables show the number of queries (to the public encryption 
function) that are required to successfully decrypt more than 50% of a random 
sample of 100 ciphertext. Increasing the coverage close to 99% requires a slight 
increase in the number of collected pairs. For example, for n = 20,wt{c) = 1, 
only a total of 866 and 900 encryption operations were required to increase the 
coverage to 92% and 98% respectively. Let the fraction P denote the number 
of chosen plaintext-ciphertext pairs required to achieve certain coverage. Then , 
our experimental results show that, on average and for a fixed small Hamming 
weight of c, P/2" decreases dramatically with n. 



Table 3. Experimental Results for wt{c) — 1 



n 


Number of Encryption Operations 


Coverage 


16 


813 


56% 


18 


670 


66% 


20 


630 


64% 



Table 4. Experimental Results for wt{c) = 2 



n 


Number of Encryption Operations 


Coverage 


16 


2418 


61% 


18 


2605 


51% 


20 


3525 


61% 



5 Conclusion 

For some selections of the algorithm parameter c, the encryption and decryption 
operations in Scheme B proposed by Imai et. al. can be approximated by a piece- 
wise affine function over GP(2)" with small number of affine segments. Trying 
to minimize the size of the public key by using a very small Hamming weight 
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for the algorithm parameter c reduces the number of theses affine segments and 
may compromise the security of the algorithm. It should be noted that avoiding 
such selections for c, while may increase the size of the public key, makes the 
algorithm totally secure against our attack and the security of this scheme still 
remains an open problem. 
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Appendix: A Detailed Example 



In this section we give a detailed example for our attack on a toy version with 
n = 20, C = 4096, ■u;t(C') = 1. L\ and L 2 are given by 



10000111111101101000 

00100010101100010100 

01110111110111011011 

01000010000111101101 

00111100101000111101 

11011110000000001011 

01110000101111100000 

00011101110100011110 

11100100000001100111 

11001010000111100010 

00001110110101101001 

01111010100000111010 

10100001010101100111 

00100111010001001101 

00001010000100000010 

10000100011011001101 

10111010101000110011 

11001101010100011101 

00011000001100010111 

00101101101010101001 



11101110110101100010 

10001101001111111100 

11000100110100011111 

01110111000001110011 

10111000011110101000 

00010110100010100010 

00111010010011001010 

11011010000111100111 

10010001010100010111 

11111100100010100101 

01100101000010000111 

10100010010111001111 

10101100010100100111 

01001011000100011001 

10000101001000110111 

01001000101111001001 

10010100011110100101 

01111101000010100100 

11111110000000110100 

01110101111111000010 



respectively. By setting Threshold = Trials = 8 (See Figure 2) we were able to 
collect the following 19 (6x,Sy) pairs: 



(624503, 241984) (776771, 695001) (327753, 131087) (55169, 514545) 
(202272,445310) (602355,656872) (917362,320210) (58440,623796) 
(974042,35345) (715678, 214754) (383370, 531929) (204095,609811) 
(653178,824812) 108979,97871) (174443, 861123) (469759, 1002664) 
(741723,572238) (671505,841867) 928012,475934) 



by performing 1736 encryption operations. We chose S^’s to be linearly inde- 
pendent. Using the above pairs, we formed the following linear relation for any 
points on the same segment: 

Sx = BSy, 
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where B is given by 
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for any U G {0,1}, i = 1,2,- ••20. Using this relation and the pool of al- 
ready encrypted 1736 plaintext-ciphertext pairs, we were able to decode correctly 
99.946% of a random 100, 000 ciphertext. 
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Abstract. This paper describes a secure Pay TV protocol based on 
a public-key distributed encryption scheme that enables the Pay TV 
broadcaster to robustly add or remove any subscriber without changing 
private decryption keys of other subscribers. In other words, the up- 
dating process is transparent to the subscribers. This feature exhibits 
a distinct advantage over a symmetric key based system where all sub- 
scribers share a single key and therefore it is impossible to dynamically 
remove a subscriber from the system. 



1 Introduction 

A typical Pay TV system consists of a broadcaster and a number of subscribers. 
The broadcaster broadcasts TV programs to its subscribers. When a Pay TV 
program is transmitted through an optical fibre or a microwave network, the 
protection of the program must be enforced against non-subscribers. This can 
be done using a symmetric-key cryptographic algorithm. That is, the Pay TV 
broadcaster and all its subscribers share a secret key that is used by the broad- 
caster to encrypt the TV signal and is then used by subscribers to decrypt the 
signal. The major disadvantage of such a scheme is that it is difficult for the 
broadcaster to stop an illegal user who has the secret key to receive Pay TV 
programs, since the secret key is shared by all subscribers. Changing the secret 
shared key requires updating all decoding boxes of subscribers. This is infeasible 
and costly. 

In this paper, we propose an asymmetric key based Pay TV system tackling 
this problem. The proposed system meets the following criteria: 

1. The broadcaster can arbitrarily add or remove a subscriber to or from the 
system without changing the decryption keys of other subscribers. 

2. Subscribers are required to have the minimum computational power. 

The major task of constructing a public key broadcasting system is to find 
an algorithm where a public key maps to several associated private keys. This 
kind of mappings was first introduced by Desmedt[l]. Group signature [2, 3,4, 5] 
and distributed encryption [6,7] can be considered as examples of this kind of 
mappings. Unfortunately, the existing distributed encryption schemes cannot be 
used in a Pay TV system, due to the computational complexity. Moreover, in 
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these schemes, the Pay TV broadcaster is not able to remove a subscriber from 
the system without the involvement of all other subscribers. 

The proposed scheme in this paper is a variant of [6], but it has some signif- 
icant breakthrough in the revocation of decryption keys used to a secure broad- 
casting service and in computational efficiency. The major computation in the 
system is shifted from its subscribers to the broadcaster and can be done in 
the setup phase; therefore the actual encryption and decryption computational 
complexity is thus minimised. 

The rest of this paper is arranged as follows. Section 2 describe the basic 
model. Section 3 gives the preliminary knowledge required for the new scheme, 
where we will review the basic algorithm to be used in our system. Section 4 
introduces the system setup. Section 5 describes the secure Pay TV protocol. 
Section 6 shows how to update the system by adding or removing a subscriber. 
The last section is our concluding remarks. 

2 Model 

A typical Pay TV system consists of a broadcaster and a number of subscribers. 
The broadcaster broadcasts TV programs to its subscribers through a secure 
channel. 

Let us consider the situation that the secure transmission of Pay TV signals 
is based on the public- key distributed encryption [6]. A distributed encryption 
system consists of a manager and several users who form a group managed by the 
manager. The group manager has two major tasks: constructing a unique group 
public key and doing revocation. In the group, all group members or users have 
a private decryption key that can be used for decryption. The group possesses a 
unique public key or a group public key that maps to all private keys owned by 
its members. A message encrypted using the group public key can be decrypted 
using any one of these private keys. 

The broadcaster in our Pay TV system acts as a group manager who uses 
the group public key or the encryption key to encrypt TV signals that are then 
transmitted to its subscribers or members who respectively possess a private key 
or decryption key that can be used to decrypt the TV signals. 

Our system differs from a normal distributed encryption system in that it 
allows the Pay TV broadcaster to remove or add a decryption key from or to 
the public key such that it is easy for the broadcaster to perform the basic man- 
agement over the system without any involvement of subscribers. The difference 
also lies in the fact that our scheme has very low computational complexity. 

3 Preliminaries 

In this section, we describe the distributed encryption algorithm, a variant of 
that proposed in Ref. [6]. 

The security of this system relies on difficulty of computing discrete loga- 
rithm. The protocols are based on a polynomial function and a set of exponen- 
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tials. Let p be a large prime, Z* be a multiplicative group of order q for q\p— 1, 
and e Z* be a generator. Let Xi Gr Zq for i = 0, 1,2..., n be a set of integers. 
The polynomial function of order n is constructed as follows. 

n n 

f{^) = - a;*) = ^ a^a;* ( mod q), 

i—1 i—0 

where {aj are coefficients: oq = oi = ’ ’ ’> ®"-2 

= o„_i = Yh=i{-^ 3 )i = 1- It is noted that YIi=o = 0. 

This property is important for us to construct the distributed encryption system. 

Having the set {oi}, we can then construct the corresponding exponential 
functions, • • • , 5 “"} = • • • ,5n}- All elements are computed un- 

der modulo p. For convenience, we will omit modulo p in the rest of this paper. 
Note that n”=oft* = I- 

Now we are ready to construct an asymmetric-key system where the encryp- 
tion key is the tuple { 50 , : ffn} mapping to n decryption keys {xi\. The 
encryption key should not be made public; otherwise it needs some additional 
algorithm to make it secure [6]. Actually, in a Pay TV system, the encryption 
key is never made public. 

Let be a strong one-way hash function and M be the message to be sent 
to a recipient by the sender who possesses the encryption key,. The idea of this 
protocol is for the sender to encrypt a message M using the encryption key and 
produce the corresponding ciphertext that can be decrypted by any one who has 
a private key, Xi G {xl,X 2 ^ • • • , x„} 

To encrypt a message M, the sender picks a random number k' €r Zq, 
computes k = H{m) and encrypts M using the encryption key to obtain the 
ciphertext c ^ (ci, C2), where ci ^ ((/* (/q , g^), i = 1, • • • , n, and C 2 = Mg’^ . c 
is sent to recipients. 

Since all recipients have their private decryption keys, they can obtain M by 
decrypting the ciphertext C2. The process is as follows. For recipient j, 

n . n . n 

d ^ 9^' 9^0 n n n 

i—1 i — 0 i—0 

= gk' gkT.7=o°-i^'j = gk' _ 

The last equality holds because = O- TIi® message can be recovered 

by computing M = C 2 1 d. 

This scheme is not suitable for a Pay TV system, because the recipients share 
considerable computational overhead in order to decrypt a message, especially 
when the size of the recipient group is large. However, the properties of the 
polynomial function given here are useful for our new protocols. 
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4 System Setup 

The broadcaster needs to prepare the encryption key and all decryption keys for 
its subscribers. It is assumed that the broadcaster has sufficient computational 
power, whereas its subscribers have very limited computational power. 

We assume that the system has the upper limit, n, for the maximum number 
of subscribers. The actual number of subscribers is m for 0 < m < n. The 
difference between n and m will be used for adding new subscribers to the 
system. 

The construction of the encryption key and decryption keys follows the steps 
below: 

— Select n distinct random numbers Xi for i = 1, 2, • • • , n, which form a 

set Xn and a subset X^ C Xn. 

— Compute A = nj^=i(nr=o^ 9i^)- We will see later that the broadcaster needs 
only to compute A once. 

— Select an integer b 7jg and compute its multiplicative inverse b~^ such 
that bb~^ = Imodg. 

— Compute Xj = b~^ mod q, for j = 1, 2, • • • , n. 

— Compute Xj = Sjx'j mod q, where s = siS 2 • • • s„, and SiSi mod q = 1, Vs^ G 
Zg, i.e., the multiplicative inverse is itself. It is easy to see that it can be 
realised by simply setting q = Si{si — l)/fc for an integer k such that q + 1 
is still a prime. The solutions of Sj can be found if 1 + Akq = X'^ where X 
is an odd number. It is not difficult to see that there are infinite solutions 
when we let k he k'{l + k'q) for an integer k' . 

These values satisfy the equality: 

= 1, VjG{l,2,...,n}. 

A is kept by the broadcaster and will be used as the encryption key for 
broadcasting Pay TV signals. Since the encryption key is not public, there is no 
need for us to protect it against any illegal modification. 

Xj and Xj are given to subscriber j as its secret decryption key during the pro- 
cess of its registration. The private decryption key doublet, {xj, Xj), is embedded 
in a tamper proof box in the Pay TV decoding device for subscriber j, because 
there is no need for the subscriber to know it. This assumption seems necessary, 
otherwise it would be possible to illegally forge a decoding device. However, we 
assume that subscribers know their decryption keys and the algorithm meets the 
condition that it is secure against any collusion attacks. This assumption makes 
our scheme to have better applicability in other secure broadcasting services. 

5 Broadcasting Protocol 

The unique encryption key A is used for the encryption of Pay TV signals. 
Any subscriber who has a legitimate private decryption key can decrypt them. 
Assuming that M is the TV signal to be transmitted, the broadcasting protocol 
is given as follows: 
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— Select an integer k G^Zq. 

— Compute g = and g = g“^^ . 

— Compute the ciphertext c = 

— Broadcast the triplet {g, g, c) to all subscribers. 

To decrypt it, the subscriber j computes 

= M. 

Remark 1: In consideration of further efficiency, the system should be made 
hybrid, e.g., the broadcaster encrypts the a symmetric session key using the 
encryption key and then uses the session key to encrypt the Pay TV signals. That 
is, the symmetric key system is used for secure transmission of Pay TV signals 
and the public key system is used for secure transmission of the secret session 
key only. The subscribers obtain the session key using their private decryption 
keys and decrypt the Pay TV signals using the session key. 

The completeness of this protocol is obvious: 

Lemma 1. For a given ciphertext c, if the broadcaster follows the correct en- 
cryption procedure, any registered subscriber can correctly decrypt the ciphertext 
to obtain M . 

Proof: Obvious. This is based on the following: when a registered subscriber 
j decrypts the signals, he does not change the value of s, i.e. ssj = smodg. 
Therefore, in the decryption, he can remove the A from c,. 

n n 

= = M 

i=l i=0 

The last equality is based on nj=i(nr=o 5^^) ~ 

The soundness of the protocol is twofold. The basic security of the system 
is based on the trustworthiness of the broadcaster. This makes sense, since in 
practice the broadcaster should have the ultimate control over the system. On 
the other hand, it is also quite clear that any party who has not registered with 
the system cannot decrypt the Pay TV signal. Finding a correct decryption key 
is equivalent to computing discrete logarithm, which is infeasible in a polynomial 
time frame. We can actually see that this encryption scheme is a variant of El- 
Gamal’s encryption scheme [8]. The only difference is that the public encryption 
key A is constructed differently. 

6 Update Protocols 

The broadcaster has the complete control over who can decode the TV program. 
In other words, the broadcaster can remove or add any subscriber when needed. 
We now present two schemes to show that this updating process does not require 
any cooperation of the subscribers. 
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6.1 Removing a Subscriber Scheme 1 

To remove a subscriber 7 from the list or from the broadcaster needs to 

— Recompute A: 

n n—1 

n diftb 

i=ijY7 *=o 

— Compute a new parameter d = g~^'’ ■ 

To broadcast a TV signal, the broadcaster now needs to compute the cipher- 
text in terms of 

c' = 

where s' = Er=i.i #7 Si mod q. The broadcasted token consists of (g, g, c'), where 
g = and g = 

To decrypt it, the subscriber j computes 

= M. 



The completeness of this protocol is given in the lemma below. 

Lemma 2. A registered subscriber can decrypt the PayTV signals using his se- 
cret key. 



Proof: Obvious. This is based on the following: when a registered subscriber 
j decrypts the signals, he does not change the value of s', i.e. s'sj = s' mod g. 
Therefore, in the decryption, he can remove the A from c,. 






1 T,7=i,i^3 

n n 

= M (J]^ gfy = M 

i=ijV7 *=o 



The last equality is due to ]l”=i jy^ 7 (n"=o = 1- ° 

The soundness of the protocol is shown in the following lemma. 

Lemma 3. After a subscriber has been removed from the system, he can not 
decrypt the PayTV signal using his secret decryption key doublet 

Proof: This is also obvious. It is based on: s' yf s's.ymodg for the removed 
subscriber 7 . □ 

We have assumed that the secret decryption keys of all subscribers have been 
embedded in a tamper-resistant decoding box that should not be seen by the 
subscribers. However, let us consider the case where the subscribers including 
the one who has been just removed from the system know about their secret 
decryption keys. In the following lemma we show that the updating protocol is 
still sound against collusion attacks. 
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Lemma 4. The broadcasting protocol is secure against collusion attacks of the 
subscribers. 

Proof: It is clear that if a subscriber i finds the value of b~^xf, he can then 
decrypt the Pay TV signal easily. We first examine whether or not several sub- 
scribers can compute b~^xf, based on their secret keys. Assume there are two 
subscribers, i and j and they have private key doublets (xi,Xi) and (xj,Xj) 
respectively. By subtracting Xi from xj, we have Xi — Xj = b~^{xf — xf). If 
there is another subscriber k who is also involved in the computation, we then 
have an additional equation Xi — Xk = b~^{xf — x^). Any additional subscriber 
has to introduce a new unknown variable to the computation. Also recall that 
Xj = Sjxf mod q and Sj yf Sj yf Sfe. Therefore, this kind of collusion attack is not 
feasible. □ 

Remark 2: The broadcaster does not need to recompute A if all the data in the 
setup phase have been stored. Only thing needed is to remove the part related 
to the subscriber 7 from A. 

6.2 Removing a Subscriber Scheme 2 

This scheme is much simpler than the first scheme. The broadcaster does not 
need to reconstruct the encryption key A. Instead, the broadcaster just recom- 
putes s such that the s-y for the subscriber to be removed is moved from the 
computation, i.e., s = s*- Under this scheme, the broadcasting proto- 

col given in Section 5 can still be used without any modification. The removed 
subscriber cannot decrypt the Pay TV signal since s.yS yf s mod q, while other 
subscribers can still decrypt the Pay TV signals as usual. 

6.3 Adding a Subscriber 

There are two ways for the broadcaster to add a new subscriber to the system. 

1. The first approach makes use of an element in the spare set — X^.. Recall 
that we have assumed that the actual number of subscribers is less than n, 
i.e., m < n or Xm C A„. To add a new subscriber, the broadcaster just 
simply moves one unused element from — Am to Xm- For convenience, we 
still denote by Xm the new set. Suppose that the new subscriber is denoted 
by subindex £ and is given X£ and xi as his decryption key doublet stored in 
his decoding box. 

2. The second approach reuses Xy, after Xy G Xm has been removed from the 

system. Once x.y has been removed from the system, the corresponding party 
7 is no longer able to decrypt Pay TV programs. However, because Xy still 
exists in Xm, it is perfectly legal for the broadcaster to reuse it, provided that 
the removed subscriber 7 cannot gain anything from it. The algorithm for the 
broadcaster to reuse Xy is actually very simple, namely for a new subscriber 
r the broadcaster needs only to generate a new “sr” and compute a new 
“s” by replacing Sy with s^, i.e., s = S1S2 • • • • • • s„. The new decryption 
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key is then constructed in the same manner: Xr = 6“^ x" mod g and 
Xr = SrX"modg. The encryption protocol in Section 5 still stands. The 
soundness of this scheme is based on the following: sXr = ssrx" = sx” mod q 
and sx-y = ss^x" yf sx"modg. 

7 Concluding Remarks 

We have proposed a new scheme for a public-key based broadcasting system, 
where the broadcaster can easily add or remove any subscriber when needed. 
More importantly, the updating process is transparent to subscribers, since they 
are not involved in the update computation. This provides an elegant solution to 
the revocation problem in secure broadcasting service. It is clear that our scheme 
has a distinct advantage over a symmetric-key based method. In a symmetric key 
based system, all the subscribers share the same secret key in order to decrypt 
the Pay TV signals. This provides opportunities for forging Pay TV decoding 
boxes. This also makes it difficult for the broadcaster to exclude anyone from 
receiving the Pay TV signals (say if a member does not pay his subscription) . 

On the other hand, our algorithm is designed in such a way that the sub- 
scribers have limited computational power, while most computations are done 
on the side of the broadcaster. From the broadcaster point of view the major 
computation involves the calculation of the encryption key A. It is noted that 
such computation can be done prior to broadcasting and is done once only. The 
encryption process involves only three exponentials. On the subscriber’s side, 
the decryption needs only two exponential computations. Furthermore, with the 
hybrid model such computations are for secure session key transmission only and 
the real signal encryption/decryption is done under a symmetric key algorithm. 
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Abstract. A secure threshold protocol for n players tolerating an ad- 
versary structure A is feasible iff maxag^ |a| < ^, where c = 2 or c = 3 
depending on the adversary being eavesdropping (passive) or Byzantine 
(active) respectively [1] . However, there are situations where the thresh- 
old protocol n for n players tolerating an adversary structure A may not 
be feasible but by letting each player Pi to act for a number of similar 
players, say Wi, a new secure threshold protocol U' tolerating A may be 
devised. Note that the new protocol II' has N = Wi players and 

works with the same adversary structure A used in 71. The integer quan- 
tities Wi’s are called weights and we are interested in computing wls so 
that 

1. 77' tolerates A even if 77 does not tolerate A. 

2. N = Wi is minimum. 

Since the best known secure threshold protocol over N players has a 
communication complexity of C?(m7V^ Ig |F|) bits [9], where m is the 
number of multiplication gates in the arithmetic circuit, over the fi- 
nite held F, that describes the functionality of the protocol, it is ev- 
ident that the weights assigned to the players have a direct inhuence 
on the complexity of the resulting secure weighted threshold protocol. 
In this work, we focus on computing the optimum N. We show that 
computing the optimum N is NP-Hard. Furthermore, we prove that the 
above problem of computing the optimum N is inapproximable within 

(1 — e) In (^) H jqn — (c — 1), for any e > 0 (and hence in- 

approximable within 17(lg |A|)), unless NP C DTIM where 
N* is the optimum solution. 



1 Motivating Example 

Consider a set of five players V = {Pi,P2,Ps, ^4,^5} involved in a secure 
distributed protocol wanting to tolerate the (passive) adversary structure A 
given by 

^={(1,2, 3), (1,2, 4), (1,5), (2, 5), (3, 4)} 

* The first author would like to thank Infosys Technologies Ltd., India for hnancial 
support. 
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From the results of [1], it is clear that A cannot be tolerated by any threshold 
protocol. Nevertheless, the above adversary can be tolerated by a threshold- 
type protocol among nine players where players Pi, P 2 , P 3 , P 4 and P 5 act for 
one, one, two, two and three players respectively. This is indeed so because the 
corruption of any one set in the adversary structure leads to the corruption of 
at the most four out of the nine players which is tolerable[l]. In this example, 
n = 5,wi = W 2 = l,W 3 = W 4 = 2 ,W 5 = 5,c= 2,N = = 9- 

2 Basic Definitions and Model 

2.1 Secure Multiparty Computation 

Consider a fully connected synchronous network of n players (processors), V = 
{Pi, P 2 , . . . , Pra}, who do not trust each other. Nevertheless they want to com- 
pute some agreed function of their inputs in a secure way. Security here means 
maintaining correctness of the output while keeping the players’ inputs as pri- 
vate as possible, even if some of the players are faulty. This task can be easily 
accomplished if there exists a trusted third party. But assuming the existence 
of such a trusted third party is quite unrealistic. The goal of secure multiparty 
computation is to transform a given protocol involving a trusted third party into 
a protocol without need for the trusted third party, by simulating the trusted 
third party among the n players. 

The players’ distrust in each other and in the underlying network is usually 
modeled via an adversary that has control over some of the players and commu- 
nication channels. Many different adversary models have been considered, each 
modeling different problems, or addressing a different setting. These approaches 
can be classified according to a number of criteria that are briefly discussed be- 
low. Adversaries are classified according to their computational resources (limited 
(cryptographic) or unli mited (information theoretic)), their control over commu- 
nication (secure, insecure, or unauthenticated channels), their control over cor- 
rupted players (eavesdropping (passive), fail-stop, or Byzantine (active)), their 
mobility (static, adaptive, or mobile) and their corruption capacity (threshold or 
non-threshold). In the information theoretic model one can distinguish between 
protocols with small {unconditional) or zero {perfect) failure probability. 

In the information theoretic setting, [I] gave a perfect protocol for the gen- 
eral secure multiparty computation problem in the synchronous secure channels 
model without broadcast and proved tight bounds on the number of corrupted 
players that can be tolerated. 

Theorem 1 ([!]). For every n > 2, there exist Boolean functions f such that 
there is no synchronous \^~\-secure protocol for n players that computes f. For 
every n > 3, there exist functions f such that no synchronous protocol for n 
players \ -securely computes f , if Byzantine adversaries are allowed. ■ 




234 K. Srinathan, C.P. Rangan, and V. Kamakoti 



2.2 The Adversary Model 

In this section, we formally define the weighted threshold adversaries. We begin 
with a brief look at the threshold adversaries. 

Threshold Adversaries. A threshold adversary, A, is a probabilistic strategy, 
that can corrupt up to t < n among the n players involved in the protocol. The 
corruption may be either active or passive, by which we mean the following: 

1. Passive Corruption: The adversary in this case behaves like an eavesdrop- 
per, that is, the adversary can gather all the information present with the 
corrupted players and can also perform any arbitrary computation on these 
gathered data. 

2. Active Corruption: The adversary here is also referred to as a Byzantine 
adversary. They can do all what an eavesdropping adversary can and in 
addition can also take complete control of the corrupted players and alter the 
behaviour of the corrupted players in an arbitrary and coordinated fashion. 

Tolerable Threshold Adversaries: It is known that all the passive thresh- 
old adversaries such that t < can be tolerated. That is, it is possible 

to construct multiparty computation protocols that are secure against such an 
adversary. By a security against an adversary A, we mean, whatever A does in 
the protocol, the same effect (on the output) could be achieved by an adversary 
(may be different from A but similar to it in costs) in the ideal protocol (that 
assumes the existence of a trusted third party to whom all the inputs can be 
sent and outputs received) . For more formal and “correct” definitions of security, 
we refer the readers to [2,6,10]. Similarly, in the case of active adversaries, we 
require that t < . 

Generalized Adversaries. In contrast to the threshold adversaries, [7,8] intro- 
duced a more general adversary characterized by a monotone adversary structure 
which is a set of subsets of the player set, wherein the adversary may corrupt the 
players of one set in the structure. An adversary structure is said to satisfy the 
qO property if no c sets in the adversary structure cover the full set of players. 
It is proved that in the passive model, every function can be computed securely 
with respect to a given adversary structure if and only if the adversary structure 
satisfies the property. Similarly, in the active model, a secure computation 
of a function is possible if and only if the adversary structure satisfies the 
property. 

Weighted Threshold Adversaries. The weighted threshold adversaries are 
somewhere in between the threshold and the generalized adversaries. These ad- 
versaries are characterized by adversary structures that possess the following 
addition property so that they are tolerable: for each player Pi, 1 < i < n, there 
exists a non-negative weight Wi, such that the adversary structure is tolerated in 
a threshold-type protocol with N = X)i-p gp players. Hereafter in the sequel. 




Toward Optimal Player Weights in Secure Distributed Protocols 235 

unless explicitly specified, we will use the term adversary structure to mean the 
maximal basis^. 

In the weighted threshold adversary setting, one of the ways to improve the 
complexity of the resulting secure protocol is to assign weights to each of the 
players so that the adversary can be tolerated with the sum of the weights kept 
at a minimum, since, a larger sum of weights calls for larger number of secret 
shares (essentially of the same size) and hence an increase in the computation 
and communication complexities. 



3 The Optimal Player Weights Problem 

In this section, we define the problem of assigning optimum weights to the players 
in a secure multiparty protocol tolerating weighted threshold adversaries. 

Definition 1 (Optimum Assignment of Player Weights(OAPW)). Given 
the player set V = {Pi, P 2 , • ■ • , Pn}, the adversary structure A C 2^, and a 
constant a valid assignment of player weights (if it exists) is a function 

Y f(Pi) 

f -V ^ U {0} such that for all sets z € A, Ypi^z /(-f*) < — ^ 
valid assignment of player weights, f , is said to he an optimum assignment of 
player weights if there does not exist any valid assignment of player weights, f , 
such that Evp^e-P 

Definition 2 (Decision Version of the OAPW problem). 

Instance: A finite set V, a collection A of subsets of V, a constant c, and a 
positive integer k. 

Question: Does there exist a valid assignment of player weights f '■ V ^ U 
{0} such that X)vp eP ^ ^ ^ Yp ez fi^i) ^ k? 

From the (refer Definition 2) constraint that for all sets zgA, Yyp ez f{Pi)<k, 
it is obvious that we can restrict the range of the function / to {0,...,k}. We 
denote an instance to the OAPW problem by the ordered list < V,A,c,k,r >, 
where / : P ^ |0,...,r}, and the size of the solution to the above instance is 
ck + 1. 



4 Hardness of the OAPW Problem 

Definition 3 (Density Index Number of a Graph G). .' Given a simple 
undirected graph G = (V,E), the c-Density Index Number of G is defined as 

there exists V ^V,\V'\= cfc+1 such that there does not 
exist a vertex u G V adjacent to > k+1 vertices in V' . 

^ Given the adversary structure A, the maximal basis Abasia = {«£A| ^zYz, z' gA}. 
Note that c = 2 if the adversary is passive and c = 3 if the adversary is active. 



c-DIN( G) = min < cfc+1 



2 
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Theorem 2. Given a simple undirected graph G = {V,E), the size of the min- 
imum dominating set (mds^ of G is equal to 1-din (G°), where G° is the com- 
plement of G. 

Proof: Let 1-din(G'^) = k-\-l and V' GV he the subset satisfying the property 
as defined in Definition 3 with \ V'\ = fc-l- 1. From definition of 1-DiN we see that 
every vertex in V (and hence in y — V') in G'^ is not adjacent to at least one 
vertex in V' . This implies that in G, every vertex in V — V is adjacent to at least 
one vertex in V . Hence, V is a dominating set of G. If V is not the minimum 
dominating set, then let V be the minimum dominating set of G. Then, \U\ < k 
and any vertex u G V — U is adjacent to at least one vertex in U . Therefore in 
G'^, any vertex u G V — U is not adjacent to all the vertices in U. Also, since no 
vertex in U can be adjacent to all the vertices in U (due to the fact that a vertex 
cannot be adjacent to itself), the l-DIN(G°)=k which is a contradiction. Thus, 
the minimum constraint in the definition of 1-din implies that V is indeed a 
MDS of G. ■ 

The fact that computing the size of a MDS of a graph is iVP-complete [5] and 
Theorem 2 imply the following theorem. 

Theorem 3. Given a simple undirected graph G = (V, E), computing I-din(g) 
is N P -complete. 



Theorem 4. c-DIN(G) for any fixed constant c, where G = (V,E) is a simple 
undirected graph, is NP-Hard. 

Proof: We reduce the problem l-DIN(G) to the problem c-DIN(G). Given an 
instance of the problem l-DIN(G), construct G' = {V ,E') containing c copies 
of G = (y, A); y' = yiU- • -uyc such that i GVjis relabelled < i,j >. Similarly, 
E' containing c copies of if ; E' = ifi U • • • U Ac such that for every pair of vertices 
{i,k) G Ej, is relabelled (< i,j >, < k,j >). Solve the c-DIN problem on G'. 
By the Pigeonhole principle we see that, there exists a solution to c—DIN{G') 
if and only if there exists a solution to the problem 1—DIN{G). ■ 

Theorem 5. Problem OAPW is NP-Hard. 

Proof: Given a simple undirected graph G = {V,E), we suggest the following 
method for computing c-DIN(G). Without loss of generality let us assume that 
the vertices of G are numbered {l,...,n}, |y|=n. Let the set V = V. Con- 
struct the set A = {Vi, . . . , y„}, such that, F) is a set containing all vertices adja- 
cent to vertex i in G. Solve the problem OAPW with the sets V and A as defined 
above. We now show that the function / does not exist for ck -\- 1 < c-DIN(G) — c. 
Let us assume that / exists and let y' C P be the set of vertices that are as- 
signed non-zero values by /. 

Case 1: {\V'\ < fc-l- 1). From Definition 3 (of c-DIN), there exist an a G A such 
that V C a. This implies that /(*) > k, a contradiction. 
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Case 2: {\V'\ > k+1). Consider a C” C V', |C”| = k+1. From Definition 3 (of 
c-DIN), there exist an a G A such that V" C a. This implies that /(*) > 
a contradiction. 

For ck + 1 = c-DIN(G)— c, consider any V' C P, \V'\ = ck + 1. Assign 
f{i) ^ 1, Vi G V and /(i) ^ 0, Vi ^ V . It is easy to see that / is a solution 
to the OAPW problem. The same concept can be extended to show that for 
cfc + 1 > c-DIN(G)— c there exist a function / satisfying the constraints specified 
by the OAPW problem. Hence, given an algorithm for the OAPW problem that 
takes 0{g{n)) time, one can compute the c-DIN of a simple undirected graph G 
in 0{g{n) logn) time. Since c-DIN(G) < n it is enough to consider cfc -|- 1 < n. 
The above discussion and Theorem 4 imply the proof of this theorem. ■ 

5 An Approximate Algorithm for the OAPW Problem 

In this section, we first reduce the OAPW {V, A, c, k, k) to OAPW {V, A, c, k, I) . 
We then provide an (exponential) algorithm to solve the OAPW{V,A,c,kA) 
exactly followed by a (polynomial) approximate algorithm for the same. Finally, 
we design an approximate algorithm for OAPW{V,A,c,kjk) and analyse its 
performance. 

Theorem 6. A solution to OAPW in which f : V ^ {0,1} implies a solution 
to OAPW in which f -.V ^ {0 , ..., k}. 

Proof: Given an instance I = (V,A,c,k,k) of OAPW, construct an instance 
/' = (V',A,c,k,l) in which V is k copies^ of V. Solving OAPW on each 
Pi € V would have been assigned at most k Is (at most once in each copy of V). 
Gomputing f(i) to be the number of Is assigned to Pi in V, gives a solution for 
the OAPW on /. ■ 



5.1 Solving OAPW(P, A, c, fc, 1) 

Exact Solution Given the instance I = {V, A, c, k, 1) of the OAPW problem, 
construct a bipartite graph G = (X,Y,Eg) with X = P,Y = A. Add {x,y) to 
Eg if and only if x G A, j/ G T, and x G y (that is, the player x is present in 
the set y). Now, the problem of OAPW{'P,A,c,k,l) stated graph theoretically 
is to find ck + 1 vertices in X such that the degree of each vertex y G Y in the 
subgraph induced by these ck + 1 vertices union Y on G is < k. 

Gonsider the bipartite graph E[ = (X,Y,Eh) where E^ = {{x,y)\x G X,y G 
^ Eg}. The OAPW{V,A,c,kA) problem can now be rephrased as to 
find ck + 1 vertices in X such that the degree of each vertex y G Y in the 
subgraph induced by these ck+1 vertices union Y on iV is at least (c — l)/c-|- 1. 

From the bipartite graph El = (A, Y, Eh), we construct the following instance 
of a set multi-cover problem that solves the OAPW{V,A,c,k,l) problem: Let 

® Since the search space of k is bounded by a polynomial in {\P\ + |A|), the given 
construction is feasible. 
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Algorithm for OAPW{V,A,c,k,l) 

1. Given the instance loapw = {V , A,c,k,l) of the OAPW problem, construct the 

instance lame = — l)k + l,cfc + 1) of the set multi-cover problem as 

illustrated in Subsection 5.1. 

2. Solve the instance lame using the approximate set multi-cover algorithm of [3], 
which is a natural extension to the greedy approximate algorithm for the set cover 
problem. 

3. The solution to the instance lame (if it exists) gives rise to the set of vertices in 
X (i.e. the set of players in V) that are to be given the weight 1. The rest of the 
players are given the weight 0. 

4. If the instance lame has no solution then the instance loapw has no solution as well. 



Fig. 1. The Approximate Algorithm for OAPW {V, A, c, k, 1) 



the set U = Y and the family of subsets of U he !F = {Xi\i = 1,2, ... , |A|}, 
where Xi denotes the set of all elements in Y that are adjacent to the element 
in X in the bipartite graph H. The decision version of the OAPW{V , A, c, k, 1) 
problem now reads as follows: Does there exist ck+1 or less number of sets from 
T such that their union covers each element of U at least (c — l)k + 1 times? 

The above problem can be solved using the solution to the set multi-cover 
problem which is as follows. 

Definition 4 (Set Mnlti-Cover Problem). 

Instance: A set U , a family T of set of subsets of U , positive integers m and 

k. 

Question: Does there exist < k sets from T such that they together cover each 
element of U at least m times? 

Thus, based on the (exponential) algorithm of finding the minimum set multi- 
cover, we now have an (exponential) algorithm to solve the OAPW{V , A, c, k, 1) 
problem. 

Approximating OAPW{V,A,c,kA)- We proceed by “replacing” the expo- 
nential algorithm of finding the minimum set multi-cover by its corresponding 
approximate greedy algorithm as proposed by [3]. Thus, the resulting approxi- 
mate algorithm for OAPW{V,A, c, k, 1) is as given in Fig. 1. 

Theorem 7. The algorithm presented in Fig. 1 runs in time polynomial in the 
size of the input and correctly solves the OAPW{V,A,cAA) problem. 

Proof: Since each of the four steps in the algorithm runs in time polynomial in 
{\P\ + 1^1), it is evident that the overall algorithm runs in time polynomial in 
the input size. 

From the construction of Subsection 5.1, it is clear that a solution to the 
instance loapw exists if and only if the instance Igmc has a solution. We now 
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show that every solution to the instance Ismc leads to a solution to the instance 
loapw, thereby proving the theorem. 

Let {Xi ^ , Xi^ ,■■■ , J, Xj e IF be a set multi-cover of U such that their 
union covers U at least (c — l)k + 1 times. We stress that the value of k here 
may be much larger than what the minimum set multi-cover requires it to be. 
From this (approximate) set multi-cover, we obtain the corresponding vertices 
in X that along with the vertices in Y induce a subgraph Hgub on H such that 
each vertex in Y in Hgub has a degree of at least (c — l)k + 1. Therefore, since 
if/, and Eg compliment each other, there exist ck+1 vertices in X such that the 
degree of every vertex in Y is bounded by < fc in the subgraph Gsub induced 
by the ck+1 vertices of X along with Y on G: thus providing a solution to the 
instance loapw ■ 

Corollary 1. The approximate algorithm for OAPW{V , A, c,k,k) (see Fig. 2) 
follows from the Theorems 6 and 1. 



6 Inapproximability Results 

regarding the OAPW Problem 



We begin with the known inapproximablity result of the set cover problem. 

Theorem 8 ([4]). The minimum set cover problem with the instance (U,iF) is 
inapproximable within (1— e) In \U\ for any e > 0, unless NPcDTIME{n^°^^°^"‘). 

Using the above result, we show that the OAPW{V,A, c, k, k) problem is inap- 
proximable within C(lg |Fl|) unless NP C DTIME{rt}°^^°^'^). 



Theorem 9. The problem of computing the optimum player weights is inap- 



proximable within (1 — e) In 



In 



W 



-1 



-(c— 1), for any e> 0 (and 



hence inapproximable within f?(lg |Fl|)^, unless NP C DTIME{n}°^^°^'^), where 
N* denotes the sum of the optimum player weights, and c = 2 for eavesdropping 
adversary and c = 3 if the adversary is Byzantine. 



Algorithm for OAPW(P,A,c,k,k) 



1. Given the instance Ik = (P , A,c,k,k) of the OAPW problem, construct the in- 
stance Ji = (V^^\A,c,k, 1) of the OAPW problem as illustrated in the proof of 
Theorem 6. 

2. Solve the instance 7i using the approximate algorithm given in Fig. 1. 



Fig. 2. The Approximate Algorithm for OAPW {P, A, c, k, k) 
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Proof: Given a set U and a set T containing subsets oiU, the Set Cover problem 
is to find the minimum number of sets of T that covers U. We show that the 
Set Cover problem could be solved using an algorithm for the OAPW problem. 
Given U and IF, construct the instance OAPW{V,A, c, k, k) as follows: 

1. Construct a bipartite graph H = (X,Y,E) such that X = F and Y = U 
and (x, y) G E if and only if x G X,y G Y and y ^ x. 

2. Let U = {ui,U2, ■ ■ .u\K\}. Construct the set A' of \U\ elements, such that 
the element of A' , is the set of elements in X that are adiacent to Ui in 
H. Let V = X. 

3. Let P be c copies of V and Fl be c copies of A! . 

From the Theorems 2 and 4, it is straightforward to observe that a solution to 
the instance OAPW {V, A, c, k, k) gives a set cover of size k+1, and we minimize 
k to get the Minimum Set Cover. 

Let N* = ck* + l be the size of the optimal solution to OAPW {V, A, c, k*,k*) 
and let = cfc + 1 be the size of the solution yielded by our algorithm. This 
implies that the minimum set cover is of size fc* + 1 and the solution got by 
application of our algorithm is a set cover of size k + 1. 

From Theorem 8 we see that. 



fc + 1 > {k* + l)R, 



where i? = (1 — e) In -1^. 

Note that \U\ = — . Therefore we get. 



and thus. 

Hence the proof. 



N-l + c N* -1 + c^ 
> R, 



N* N* 



7 Conclusion 

The bottleneck in secure distributed protocols is, in general, the communica- 
tion/round complexity rather than the computation complexity. In the weighted 
threshold adversary setting, the communication complexity of the (resulting) 
protocol can be improved by two (independent) methods, viz., optimizing the 
players’ weights, and developing/adapting the techniques of the threshold setting 
to the weighted threshold setting. In this work, we studied the former method 
and examined its complexity. We also presented an approximation algorithm for 
the Optimal Assignment of Player Weights (OAPW) problem and proved an 
inapproximability bound using the well-known set cover problem. Analyzing the 
quality of approximation is left open and is attempted in the full version of this 
paper. 
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Abstract. In this paper we study the autocorrelation values of corre- 
lation immune and resilient Boolean functions. We provide new lower 
bounds and related results on absolute indicator and sum of square in- 
dicator of autocorrelation values for low orders of correlation immunity. 
Recently it has been identified that the nonlinearity and algebraic degree 
of the correlation immune and resilient functions are optimized simulta- 
neously. Our analysis shows that in such a scenario the sum of square 
indicator attains its minimum value too. We also point out the weakness 
of two recursive construction techniques for resilient functions in terms 
of autocorrelation values. 

Keywords: Autocorrelation, Boolean Function, Correlation Immunity, 
Global Avalanche Characteristics, Resiliency. 



1 Introduction 

Here we concentrate on the autocorrelation values for correlation immune and 
resilient (balanced correlation immune) Boolean functions. We provide the cur- 
rently best known lower bounds on A f (the absolute indicator) and <t/ (the sum 
of square indicator) for low orders of correlation immunity. Very recently auto- 
correlation properties of correlation immune and resilient Boolean functions were 
presented in [22] and we provide better results here. The autocorrelation property 
of higher order correlation immune functions has been considered in [18]. It has 
been shown in [18] that for an n- variable, m-resilient function Af > 2" . 

However, the result is not applicable for low order of correlation immunity. 

For high order of correlation immunity we provide sharper result for an im- 
portant subclass of correlation immune and resilient functions which attain the 
maximum possible nonlinearity. It has currently been noticed that given certain 
order of correlation immunity, the nonlinearity and algebraic degree of the cor- 
relation immune and resilient functions are optimized simultaneously [17,2,3]. 
We here extend this analysis in terms of the sum of square indicator of auto- 
correlation values. We show that when the nonlinearity and algebraic degree are 
maximized, the sum of square indicator attains its minimum value. 

In [23], it has been discussed that the propagation property goes against 
correlation immunity. We here explicitly show that the A f value goes against the 



C. Pandu Rangan, C. Ding (Eds.): INDOCRYPT 2001, LNCS 2247, pp. 242-253, 2001. 
@ Springer- Verlag Berlin Heidelberg 2001 




Autocorrelation Properties of Correlation Immnne Boolean Functions 



243 



order of correlation immunity. We also point out the limitation of two recursive 
construction methods of resilient Boolean functions in terms of autocorrelation 
values. 

Next we introduce a few definitions and notations. Let s, si,S2 be binary 
strings of same length A. The bitwise complement of s is denoted by s°. We 
denote by #(si = S2) (respectively #(si yf S2)), the number of places where si 
and S2 are equal (respectively unequal). The Hamming distance between si,S2 
is denoted by d(si,S2), i.e., c?(si,S2) = #(si 52)- Another measure wd{si,S2) 
between si and S2, is defined as, wd{si,S2) = #(si = S2) ~ #(si 7^ 52)- Note 
that, wd{si, S2) = A — 2 d{si, 32)- The Hamming weight or simply the weight of 
s is the number of ones in s and is denoted by wt{s). 

By we mean the set of all n-variable Boolean functions. We represent 
an n-variable Boolean function as a bit string of length 2”, which is the output 
column of its truth table. An n-variable function / is said to be balanced if 
its output column in the truth table contains equal number of O’s and I’s (i.e., 
zct(/) = 2"-i). 

Note that we denote the addition operator over GF{ 2 ) by 0. An n-variable 
Boolean function can be uniquely represented by a multivariate polynomial over 
GF{ 2 ). We can write f{X„, . . . ,Xi) as 

ao © (0 CliXi) © ( 0 GijXiXj) © ... © ai 2 ...nXiX 2 ■ ■ ■ Xn, 

i — 1 

where the coefficients uq, ©, a^, . . . , ai2...n G {0; !}• This representation of / is 
called the algebraic normal form (ANF) of /. The number of variables in the 
highest order product term with nonzero coefficient is called the algebraic degree, 
or simply degree of /. Functions of degree at most one are called affine functions. 
An affine function with constant term equal to zero is called a linear function. 
The set of all n-variable affine (respectively linear) functions is denoted by A(n) 
(respectively L(n)). The nonlinearity nl{f) of an n-variable function / is defined 
as 

n/(/) = min (d(/,5)), 

geA{n) 

i.e., nl{f) is the distance of / from the set of all n-variable affine functions. 

In this document we will use concatenation of Boolean functions. Consider 
/i)/2 G l^n-i and / G C„. Then by concatenation of /i and /2, we mean 
that the output columns of truth table of /i , /2 will be concatenated to provide 
the output column of the truth table of an n-variable function. We denote the 
concatenation of /i, /2 by /1/2. Thus, / = /1/2 means that in algebraic normal 
form, / = (1 © A„)/i © A„/2. _ 

Now we define an important tool for analysing Boolean functions. Let X = 
{Xn, ■ ■ ■ ,Xi) and u = {uj„, . . . ,uji) be n-tuples on GF(2) and X.uJ = © 

. . . © XiUJi- Let f{X) be a Boolean function whose domain is the vector space 
over GF(2)”. Then the Walsh transform of f{X) is a real valued function over 
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GF(2)” that can be defined as 

X 

where the sum is over all X in GF(2)". For a function /, we define F/ =| {uJ G 
{0, 1}" I Wf{uj) 7 ^ 0} I . This is the number of nonzero coefficients in the Walsh 
spectra. 

Propagation Gharacteristic (PG) and Strict Avalanche Griteria (SAG) [11] 
are important properties of Boolean functions to be used in S-boxes. However, 
Zhang and Zheng [19] justified that SAG and PG have some limitations in identi- 
fying certain desirable cryptographic properties of a Boolean function. In this di- 
rection they have proposed the idea of Global Avalanche Gharacteristics (GAG). 
Next we state two important indicators of GAG. 

Let X e {0, 1}” be an n tuple A„, . . . ,Xi and a € {0, 1}” be an n tuple 
a„, . . . , ai- Let f € Qn and Af{a) = wd{f{X),f{X 0 a)), the autocorrelation 
value of / with respect to the vector a. The sum-of-square indicator 

(7/ = W Z\f(a), and the absolute indicator Af = max _| Af{a) \. 

We here concentrate on the autocorrelation spectra of correlation immune 
and resilient Boolean functions. In [6], the following characterization of correla- 
tion immunity is provided. A function /(AT„, . . . ,Xi) is m-th order correlation 
immune (GI) iff its Walsh transform Wf satisfies Wf{co) = 0, for 1 < wt{uf) < m. 
If / is balanced then Wf{0) = 0. Balanced m-th order correlation immune 
functions are called m-resilient functions. Thus, a function /(Ai„, . . . ,Xi) is m- 
resilient iff its Walsh transform Wf satisfies 

Wf{uj) = 0, for 0 < wt(uj) < m. 

By (n, m, d, x) we denote an n- variable resilient function of order m, nonlinearity 
X and degree d. 

It may very well happen that correlation immune or resilient functions, which 
are good in terms of order of correlation immunity, algebraic degree and nonlin- 
earity, may not be good in terms of SAG or PG properties. Also getting good SAG 
or PG properties may not be sufficient for cryptographic purposes. There may be 
a function / which possesses good SAG or PG properties, but f{X) 0 f(X 0 a) 
is constant for some nonzero a, which is a weakness. It is important to get good 
autocorrelation properties for such functions. That is why, we here look into the 
autocorrelation properties of correlation immune and resilient functions. 

For a linear function f,Af = 2”, and cry = 2^”. For functions /, on even 
number of variables, we have Af = 0 (cry = 2^”) iff / is a bent function [9,19]. 
However, bent functions are not balanced. In fact, for a function / of even weight 
Af = 0 mod 8 and for a function / of odd weight Af = 4 mod 8 [5]. For balanced 
function /, cry > 2^" + 2"+^ [15] for both odd and even number of variables. A 
comparatively sharper result in this direction has been proposed in [16] which 
we will discuss shortly. 




Autocorrelation Properties of Correlation Immnne Boolean Functions 



245 



Note that the properties Af,af are invariant under nonsingular linear trans- 
formation on input variables of the function /. Thus, it is easy to see that the cr/ 
results of the papers [15,16] are valid for any Boolean function / whose Walsh 
spectrum contains at least one zero. 



2 Lower Bounds on Snm-of-Sqnare Indicator 



We start this section with a result from [20, Theorem 3]. 

Theorem 1. Let f G Then Uf > Moreover, if f has a three valued 
Walsh spectra 0,±2“, then Uf = 

Next we have the following result which follows directly from the definition of 
correlation immunity and F f . 

Proposition 1. Let f G be an m-th order correlation immune function. 
Then ff < 2” — (i)- Moreover, if f is m-resilient, then ff < 2” — 

E m [ n\ 

i^O \ i )■ 

The next result follows from Theorem 1 and Proposition 1. 



Lemma 1. Let f € f2n an m-th order correlation immune function. Then, 



Of > 






. Moreover, if f is m-resilient, then (Jf > 






To identify important consequences of this result we need to get an approx- 
imate result which will provide a ct/ value of the form 2^" -|- 2”+'^, where g is a 
function of n,m. 



Theorem 2. Let f G be an m-th order correlation immune function. Then, 
<jf > 2^” -I- i f Similarly, if f is m-resilient, then cr/ > 2^" -|- 

2"+i°g2E”Lo (i). 



Proof. Note that > 2^” -I- 2” YZZi ( " ) ■ Thus the result follows for 

correlation immune functions. Similar result follows for resilient functions. □ 



Note that, in our analysis, there is no significant difference in the result of 
correlation immune and resilient functions in terms of numerical values. 

Currently there is no result on lower bound of a f values for correlation im- 
mune and resilient functions. The only known results are for balanced functions 
which are given in [15,16]. The lower bound for balanced functions given in [15] 
is 2^" -I- 2"+®. The result in [16] is as follows. For a balanced function /, 

cr/ > 2^”-k2®(2”-t- 1), if 0 < t < 2" - 2”-3 - 1, t odd, (i) 

22”-p2®(2”-t-k2), if 0 < t < 2” - 2”-3 - 1, t even, (ii) 

(1 -k if 2” - 2”-3 - 1 < t < 2” - 2, (iii) 
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if / satisfies propagation characteristics with respect to t vectors. Note that for 
case (i) and (ii), even if we overestimate this lower bound, it is 2^” + 2”+®. For 
the case (iii) the lower bound varies from 2^" + 2"+^ to 2^"+^ and also this 
depends on the propagation characteristics of the function. 

Now we enumerate the consequences of our result. 

— In our result the lower bound depends directly on the order m of correlation 
immunity and this is the first nontrivial result in this direction. 

— Note that for to > §, log 2 (”) > n — 1. Thus for all m-th order 
correlation immune functions with m > ^, a f > 2^" + 2^"“^. The result is 
true for TO-resilient functions also. This provides a strong lower bound on 
sum-of-square indicator for TO-th order correlation immune and m-resilient 
functions. 

— Given any value r (1 < r < n), it is possible to find an m-th order correlation 
immune or m-resilient function / such that <Jf > 2^" -|- 2"“''’' by properly 
choosing to. 



3 Lower Bounds on Absolute Indicator 



Now we concentrate on the absolute indicator of GAG. We have the result on 
sum-of-square indicator for correlation immune and resilient functions. We use 
the result in this direction. 



Lemma 2. For an n-variable m-th order correlation immune function f , 



Af > 



2 ^- — }h\ ■ Similarly, Af > 






variable m-resilient function f . 



Proof. We know, cr/ = X)ae{o i}” Thus, the absolute value of each Af{a) 

will be minimum only when they all possess equal values. Hence, the minimum 

value of will be This gives the result using the value of u/ from 

Lemma 1. □ 



In [22], it has been shown that Af > 2™ ^ ^ for an unbal- 

anced n-variable m-th order correlation immune function for the range 2 < 
TO < n. Note that, Af > 2'”-i . Also Af > 

2™ n-variable m-resilient function for the range 1 < m < 

n - 1. This gives, A/ > 2™ 2*(”"-") = 2"" . 

For lower order of correlation immunity (to < ^ — 1), and lower order of 
resiliency (to < ^ — 2), our result in Lemma 2 is better than the result of [22] . 
Since the expressions are too complicated to compare, we provide a table below 
to substantiate our claim. We present the comparison for n-variable, m-resilient 
functions. Note that the Af values for balanced functions are divisible by 8. Thus 
after calculating the expressions we increase the values to the closest integer 
divisible by 8. In each row we first provide the Af values from Lemma 2 and 
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Table 1. Comparison of our results with that of [22]. 



n 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


8 


~8 


8 




























8 


8 


























9 


~S 


8 




























8 


8 


























10 


T 


8 


16 


























8 


8 


16 
























11 


~8 


16 


24 


























8 


8 


16 
























12 


~S 


16 


24 


32 
























8 


8 


16 


24 






















13 


T 


16 


24 


40 
























8 


8 


16 


24 






















14 


~8 


16 


24 


48 


72 






















8 


8 


16 


24 


40 




















15 


~S 


16 


32 


48 


80 






















8 


8 


16 


24 


40 




















16 


T 


16 


32 


56 


88 


144 




















8 


8 


16 


24 


40 


72 


















17 


8 


16 


32 


64 


104 


168 




















8 


8 


16 


24 


40 


72 


















18 


~S 


16 


32 


72 


120 


192 


288 


















8 


8 


16 


24 


40 


72 


136 
















19 


T 


16 


40 


72 


136 


224 


344 


















8 


8 


16 


24 


40 


72 


136 
















20 


T 


16 


40 


80 


152 


256 


400 


600 
















8 


8 


16 


24 


40 


72 


136 


264 














21 


~S 


16 


40 


88 


176 


296 


472 


712 
















8 


8 


16 


24 


40 


72 


136 


264 














22 


~S 


16 


48 


96 


192 


344 


552 


840 


1224 














8 


8 


16 


24 


40 


72 


136 


264 


520 












23 


T 


24 


48 


112 


216 


392 


648 


1000 


1464 














8 


8 


16 


24 


40 


72 


136 


264 


520 












24 


~S 


24 


56 


120 


240 


440 


752 


1176 


1752 


2496 












8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 










25 


~S 


24 


56 


128 


264 


504 


864 


1384 


2088 


3008 












8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 










26 


T 


24 


56 


136 


296 


568 


1000 


1624 


2488 


3624 


5096 










8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 








27 


T 


24 


64 


152 


320 


632 


1144 


1904 


2960 


4360 


6176 










8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 








28 


~S 


24 


64 


160 


352 


712 


1304 


2216 


3504 


5232 


7480 


10368 








8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 


4104 






29 


T 


24 


64 


168 


384 


792 


1488 


2560 


4128 


6264 


9056 


12640 








8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 


4104 






30 


T 


24 


72 


184 


424 


880 


1680 


2960 


4848 


7472 


10944 


15400 


21064 






8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 


4104 


8200 




31 


~S 


24 


72 


192 


456 


976 


1896 


3400 


5672 


8880 


13184 


18744 


25800 






8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 


4104 


8200 




32 


T 


24 


80 


208 


496 


1080 


2128 


3888 


6600 


10512 


15832 


22768 


31592 


42736 




8 


8 


16 


24 


40 


72 


136 


264 


520 


1032 


2056 


4104 


8200 


16392 
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then under that we provide the result from [22] . It is clear that our result provide 
a considerable improvement over that of [22] as both n, m increases. 

Using simplification in Lemma 2 we get the following result. 



Theorem 3. For an n-variahle m-th order correlation immune function f , 
Af > 27 



m-resilient function f. 



Similarly, Af > 2^ 



I EZAl) 



for an n-variahle 



Proof. The result follows from overestimating 2” — 1 by 2”. □ 

It is known that, for a function / of even weight, Af = 0 mod 8. Since the 
correlation immune functions and resilient functions are all of even weight, the 
Af values will be the value greater than the values given in Theorem 3, which 
are divisible by 8. Our result has the following consequences. 

— The value Z\/ is a function of n,m. 

— For small values of m, Af > ^YT=i (") > \fiAA- 

— For m = 1, Af > ^/n. 



4 Lower Bounds Using Weight Divisibility Results 

Here we use the weight divisibility results of correlation immune and resilient 
Boolean functions [12]. It is known that the values in the Walsh spectrum of 
an m-th order correlation immune function is divisible by 2'^'^^. Similarly for 
m-resilient functions, the Walsh spectrum values are divisible by 

Let us now find out the sum of square indicators of such functions. We once 
again refer to Theorem 1. For / G cr/ > 

— For an n-variable, m-th order correlation immune function the values in 
Walsh spectra are 0, ±12™+^, t = 1,2,.... From Parseval’s relation [4] we get 
Siij6{o 1 }" ^/(^) = Hence, we get that for such a function f, Ff < 

22 n— 2m — 2 

— For an n-variable, m-resilient function the Walsh spectra contain the values 
0,±i2’"+^,t = 1,2,.... Using Parseval’s relation, we get that for such a 
function f, Ff < 

Theorem 4. For an n-variahle, m-th order correlation immune function f, 
af > 2”+^™+^ and for an n-variahle, m-resilient function f , a f > 2"+2™+4^ 

Proof. It is known from [12] that for m-th order correlation immune (respectively 
m-resilient) function the nonzero values of the Walsh spectra will always be 
divisible by 2™+^ (respectively 2™+^). Thus, using Parseval’s relation we get 
that for correlation immune (respectively resilient) function Ff < 2^”“^"*“^ 
(respectively F/ < Hence the result follows from Theorem 1. □ 
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Note that the trivial lower bound on the sum of square indicator is 2^". Hence, 
for correlation immune functions, this bound is nontrivial, when n+2m+2 > 2n, 
i.e, m > f ~ 1- Similarly for resilient functions, this bound is nontrivial for 
m > f - 2. 

The weight divisibility results using algebraic degree of the functions have 
been presented in [2,3]. These results can be used to provide a sharper lower 
bound on a f involving algebraic degree. From [2,3], it is clear that for an n- 
variable, m-th order correlation immune function with algebraic degree d, the 
values of the Walsh spectra will be divisible by a J , Similarly for an 

n-variable, m-resilient function with algebraic degree d, the values of the Walsh 
spectra will be divisible by a J. Using these results we can update 

Theorem 4 involving algebraic degree as follows. 

Theorem 5. For ann-variable, m-th order {m > f — 1) correlation immune (re- 
spectively resilient) function f with algebraic degree d, ag > 2 "+ 2 ’u.+ 2 + 2 L a J 
(respectively ct/ > 2 ”+^'"+^+^L" ™ J j. 

Next we concentrate on a very important subset of correlation immune and 
resilient functions which possess maximum possible nonlinearity. Importantly 
the resilient functions have direct application in stream cipher systems. Now the 
clear benchmark in selecting the resilient functions is the functions which possess 
the best possible trade-off among the parameters nonlinearity, algebraic degree 
and the order of resiliency. However, we point out that we should consider one 
more important criteria in the selection process. In fact we find functions with 
best possible trade-off having same values of nonlinearity, algebraic degree and 
order of resiliency but having different autocorrelation properties. Thus, it is 
important to select the one with better Aj values. It is also interesting to note 
that any two functions with this best possible trade-off must possess the same 
CT/ values, which we will show shortly. For this we concentrate on definition of 
plateaued functions [20, Definition 9]. Apart from the bent and linear functions, 
the other plateaued functions have the property that they have three valued 
Walsh spectra 0, ±2“. Next we once again concentrate on Theorem 1 (the result 
from [20, Theorem 3]). Let / G and / has a three valued Walsh spectra 
0,±2“. Then <t/ = We present the following known [12] results. 

— For an n-variable, m-th order correlation immune function with m > f — 1, 
the maximum possible nonlinearity that can be achieved is 2"“^ — 2™ and 
these functions possess three valued Walsh spectra 0,±2’”+^. Thus from 
Parseval’s relation [4] X)sje{o i}" ^/(^) = 2^". Hence, we get that for such 
a function f,Fj = 22 "- 2 ™- 2 ^ 

— For an n-variable, m-resilient function with m > ^—2, the maximum possible 
nonlinearity that can be achieved is 2"“^ _ 2 ™+i and these functions possess 
three valued Walsh spectra 0,±2’"“*'^. Using Parseval’s relation, we get that 
for such a function /, Fy = 22"~2m-4^ 



Hence we get the following result. 
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Theorem 6. For an n-variahle, m-th (m > ^ — 1) order correlation immune 
function f with maximum possible nonlinearity, <Jf = 2"+^’"+^. Similarly, for 
an n-variahle, m-resilient {m > | — 2) function f with maximum possible non- 
linearity, (Tf = 2”+^™+^. 

Proof. The result for correlation immune (respectively resilient) function follows 
from Theorem 1 and ff = 2^"“^™“^ (respectively ff = 2^”“^™“"*) [12]. □ 

Current results [17,2,3] clearly identify that the nonlinearity and algebraic 
degree of the correlation immune and resilient functions are optimized simultane- 
ously. Theorem 6 provides the result when the nonlinearity is maximized. Thus, 
the algebraic degree is also maximized in this case. Here we show that at this 
situation, the sum of square indicator attains its minimum value too. This gives 
that for an n- variable, m-resilient function the nonlinearity, algebraic degree and 
sum of square indicator of autocorrelation values are optimized simultaneously. 

5 Construction Results 

Resilient Boolean functions, which are provably optimized in terms of order of 
resiliency, algebraic degree and nonlinearity [12], have immediate applications 
in stream cipher systems. Unfortunately, the general construction techniques 
does not provide good autocorrelation properties. First we will talk about some 
specific resilient functions and their Af values. Then we will analyze some of the 
well known constructions and calculate the autocorrelation values. 

Let us consider the (5, 1, 3, 12) functions. We initially consider such a func- 
tion / constructed using linear concatenation, which is (1 0 X5)(l 0 0 

X 2 ) 0 (1 0 Xs)X4(Xi 0 X3) 0 X5(l 0 Xi){X 2 0 X3) 0 X^Xi{Xi 0 X2 0 X3). 

This function has Z\/ = 16. However, using search techniques, it is possible to 
get a (5, 1, 3, 12) function g, such that Ag = 8. The truth table of the function 
is 00001011110110011110010100111000. This function achieves the best possible 
trade-off among order of resiliency, nonlinearity, algebraic degree and autocor- 
relation. 

Recently (7, 2, 4, 56) [10] and (8, 1, 6, 116) [7] functions have been found by 
computer search. It has been reported that the minimum Af values for these 
two cases (so far found by computer search) are 32, 80 respectively. However, 
the existing generalized recursive construction results are not very good in terms 
of the autocorrelation values. We now discuss the absolute indicator values of 
autocorrelation for some of these constructions. 

5.1 Recursive Construction I 

Here we consider the recursive construction which has been discussed in [1,8] in 
different forms. We consider the notation in [8] here for constructing an (ri0 1)- 
variable function F from two n-variable functions /, g. 

Q,(/(X„, . . . , Xi),g{Xn, ..., Xi)) = F(X„+i, . . . , Xi) 

= iUBX,)f{Xn,...,X,+i,X,_i,...,Xi)(BX,g{X„,...,X,+i,X,_i,...,Xi). 
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Let / be an n-variable, m-resilient degree d function having nonlinearity x. 
Define , Xi) to be an (n+l)-variable function as F(X„+i, . . . , Xx) = 

Qi{f{Xn , . . . , Xi),a(B f{b(B Xn, . . . ,b(B Xi)). Here a,b € { 0 , 1 } and if m is even 
a yf 6 and if m is odd, a = 1 and b can be either 0 or 1 . Then F{Xn+i, X„, , Xi) 
is an (to + l)-resilient, degree d function having nonlinearity 2 x [8]. 

Note that, any of the operators Qi can be expressed as a composition of 
Qn+i and a suitable permutation of the input variables. The permutation of 
input variables preserves the autocorrelation property, resiliency, algebraic de- 
gree and nonlinearity. So it is enough to look into the construction function 
as F{Xn+i, . . . , Xi) = Qn+i{f{Xn,...,Xi),a(Bf{b(BXn,...,b(BXi)),i.e., 
F(X„+i,...,Xi) = (l0X„+i)/(X„,...,Xi)0X„+i(a©/(&0X„,...,60Xi)). 

First consider the case when to is even. Then a yf 6. Let us consider, 
a = 1, 6 = 0, then F{Xn+i , . . . , Xi) = (1 0 X„_|_i)/(Jf„, . . . , Xi) 0 0 

f{Xn,---,Xi)) = Xn+i® f{Xn,...,Xi). It is clear that Z\/(l, 0 , . . . , 0 ) = 

-2”+b 

If we consider a = 0,6 = 1 , F{Xn+i, . . .,Xi) = (I 0 X„+i)/(X„, . . .,Xi) 0 
X„+i/(I 0 X„, . . . , 1 0 Xi). Then, Z\/(I, = 2 "+b 

Similarly it can be shown that for the case to odd, there will be linear struc- 
tures in this construction. Thus, for this recursive construction, for an n variable 
function, the absolute indicator value is 2". 

5.2 Recursive Construction II 

Now we consider the construction [ 17 ] which was later modified in [ 10 ]. An 
(n, TO, d, x) function / is said to be in desired form [ 10 ] if it is of the form 
(1 0 Xn)fi 0 Xnf2, where /i, /2 are (n — 1 , to, d — l,x — 2 ”“^) functions. This 
means that the nonzero values of the Walsh spectra of /i,/2 do not intersect, 
i.e., if yf 0 , then Wf^{uJ) = 0 , and vice versa. Let / be an {n,m,d,x) 

function in the desired form, where /i,/2 are both {n — l,m,d — l,x — 2"“^) 
functions. Let F = A„+2 0 A„+i 0 / and G = (1 0 A„+2 0 Xn+i)fi 0 (A„+2 0 
Xn+i)f2 © Xn+2 © Al„. Note that in the language of [ 17 ], the function G above 
is said to depend quasilinearly on the pair of variables {Xn+2, X^+i). Also, Fi = 
(1 © Xn+^)F 0 A„+3G. The function Fi constructed from / above is an {n + 
3 , TO 0 2 , d 0 1 , 2 ”+^ 0 Ax) function in the desired form. 

Consider the case o;„+3 = 0 , a„+2 = On+i = 1 and any pattern for a„, . . . , oi. 
In this case, F(A„+2, ■ ■ ■ ,Xi) = F(A„_|_2 0 o;„+2, . . . , Ai 0ai) and hence we get 
AF{an+2 , . . . , Oi) = 2 ”+^. On the other hand, G(A„+2, ■ • ■ , Xi) 0 G(A„+2 0 
a„+2) . . . , Ai 0 ai) = /i 0 /2 0 1 . Note that, if the nonzero values of the Walsh 
spectra of /i, /2 do not intersect, then /10/2 is balanced [ 13 ], i.e., /i0/20l is also 
balanced. Hence, A(3(a„+2, • ■ • , oi) = 0 . This gives that Ap.^{an+3, . ■ . ,ai) = 
AF{ar,+2 , . . . , Oi) 0 Acian+2 , . . . , ai) = 2"+2 0 0 = 2 "+ 2 . So, > 2"+^. 

Thus, for this recursive construction, for an n variable function the absolute 
indicator value is greater than or equal to 2"“^. 

It will be interesting to find out a construction which provides good A f value 
for resilient functions / with best possible nonlinearity, algebraic degree and u/ 
values. 
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Abstract. In this paper we consider matrices of special form introduced 
in [11] and used for the constructing of resilient functions with crypto- 
graphically optimal parameters. For such matrices we establish lower 
bound Jpg (^+ 1 ) ~ 0.5902... for the important ratio of its parame- 
ters and point out that there exists a sequence of matrices for which the 
limit of ratio of these parameters is equal to lower bound. By means of 
these matrices we construct m-resilient n- variable functions with maxi- 
mum possible nonlinearity 2"“^ — for m = 0.5902 . . .n + O (logj n). 
This result supersedes the previous record. 

Keywords: stream cipher, Boolean function, nonlinear combining func- 
tion, correlation-immunity, resiliency, nonlinearity, special matrices. 



1 Introduction 

Different types of ciphers use Boolean functions. So, LFSR based stream ciphers 
use Boolean functions as a nonlinear combiner or a nonlinear filter, block ciphers 
use Boolean functions in substitution boxes and so on. Boolean functions used 
in ciphers must satisfy some specific properties to resist different attacks. One 
of the most important desired properties of Boolean functions in LFSR based 
stream ciphers is correlation immunity introduced by Siegenthaler [9] . Another 
important properties are nonlinearity, algebraic degree and so on. 

The most usual theoretic motivation for the investigation of highly nonlinear 
resilient Boolean functions is the using of such functions as nonlinear combiners 
in stream ciphers. But from the practical point of view the number of variables 
in such system can not be too big (in opposite case the key length will be too 
long). It is necessary to note that all important functions with small number 
of variables are found already by exhaustive search. At the same time another 
important practical type of stream ciphers uses Boolean functions as nonlinear 
filters. Here, in general, it is possible to use the functions with big number of 
variables. But the main problems here is that effective (from implementation 
point of view) constructions of such functions can not be found by exhaustive 
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search, and also it was pointed out [4] that stream cipher of such type can be 
transformed into an equivalent (in some sence) with worse resiliency but the 
same nonlinearity. It emphasizes the importance of direct effective constructions 
of Boolean functions with big number of variables and optimal combination of 
resiliency and nonlinearity. 

Correlation immunity (or resiliency) is the property important in cryptogra- 
phy not only in stream ciphers. This is an important property if we want that 
the knowledge of some specified number of input bits does not give a (statistical) 
information about the output bit. In this respect such functions are considered 
in [3], [2] and other works. 

It was proved independently in [8], [10] and [12] that the nonlinearity of n- 
variable m-resilient function does not exceed 2”“^ — 2™+^ for m < n — 1. It was 



proved that if this bound is achieved then m > 0.5n— 2. In [10] it was proved that 
if this bound is achieved then the algebraic degree of the function is maximum 
possible too (i. e. achieves Siegenthaler’s Inequality) and equal to n — m — 1. 
In [10], [6] and [11] effective constructions of m-resilient n-variable functions 
with maximum possible nonlinearity 2"“^ — 2’”+^ for m > m > 

and m > 0.6n — 1 correspondently were given. To obtain this result in [11] the 
concept of a proper {kg, k,p, t)-matrix were introduced. In [11] it was pointed out 
that the mostly important to find a proper (fc, k,p, t)-matrix where the ratio 
is as small as possible. In [11] it was given a proper (4, 4, 6, 6)-matrix for which 
this ratio is 0.6. At the same time the lowest possible value of the ratio 
for proper matrices was formulated in [11] as the open problem. In the present 
paper we investigate the problem of the lowest possible value of the ratio for 

proper matrices and establish that this ratio can not be less than “ 

0.5902... At the same time we construct proper matrices that approach this 
lower bound with arbitrary precision. By means of these matrices we construct 
m-resilient n-variable functions with maximum possible nonlinearity 2"“^ — 2™“*'^ 
for m = 0.5902 . . . n+O (log 2 n). Note that our nonexistence results demonstrate 
that only proper matrices technique is not sufficient to construct m-resilient n- 
variable functions with maximum possible nonlinearity 2"“^ — for m < 

0.5902 . . .n + O (1). At the same time it is quite possible that such functions 
there exist for any m, n provide 0.5n — 2<m<n — 2. At least an opposite 
result have not proved. Thus, the constructing of such functions demands new 
methods and new techniques. 

The rest of this paper is organized as follows. In Section 2 we give preliminary 
concepts and notions. In Section 3 we formulate necessary concepts and results 
from the previous work [11] on proper matrices. In Section 4 we prove that 
there does not exist a proper (feg, A:,p, t)-matrix if “ 0.5902... 

In Section 5 we construct proper {kg, k,p, t)-ma,trices with ratio close to 

log (^-n) ^ ^ where a < •\/51og2 = 1.5523 In Section 6 

by means of proper matrices constructed in Section 5 we construct m-resilient 
n-variable functions with maximum possible nonlinearity 2"“^ — 2™“*'^ for m = 
log (-^+i) ^ ^ = 0.5902 . . ,n + O (log 2 n). In Section 7 we discuss the 
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method that probably gives the best possible in some sence concrete proper 
matrices. 



2 Preliminary Concepts and Notions 

We consider V^, the vector space of n tuples of elements from GF{2). A Boolean 
function is a function from to GF(2). The weight wt{f) of a function / on 
y" is the number of vectors x on y" such that f{x) = 1. A function / is said to 
be balanced if wt{f) = wt{f 0 1). Obviously, if a function / on y” is balanced 
then wt{f) = 2"“^. A subfunction of the Boolean function / is a function f 
obtained by substitution some constants for some variables in /. If a variable Xi 
is not substituted by constant then Xi is called a free variable for /'. 

The Hamming distance d{x' , x") between two vectors x' and x" is the number 
of components where vectors x' and x" differ. For two Boolean functions fi and 
/2 on y", we define the distance between fi and /2 by d(/i,/ 2 ) = #{a; £ 
y"|/i(x) yf f 2 {x)}. The minimum distance between / and the set of all affine 

n 

functions (i. e. functions of the form f(x) = Cq©® Cixf) is called the nonlinearity 

i—1 

of / and denoted by nl{f). 

A Boolean function / on y” is said to be correlation-immune of order m, 
with 1 < m < n, if wt{f) = rut(/)/2™ for any its subfunction f oi n — m 
variables. This concept was introduced by Siegenthaler [9]. A balanced mth 
order correlation immune function is called an m-resilient function. From this 
point of view it is possible to consider formally any balanced Boolean function as 
0-resilient (this convention is accepted in [1], [7], [5]) and an arbitrary Boolean 
function as (— l)-resilient (this convention is accepted in [10] and [11]). The 
concept of an m-resilient function was introduced in [3]. 



3 Results of Previous Work on Proper Matrices 

In [11] for the constructing of new m-resilient n- variable Boolean functions with 
maximum possible nonlinearity 2”“^ — 2™+^ the concept of a proper matrix was 
introduced. 

Definition 1. [11] Let B = [bij) be (2^ x p) matrix of 2^ rows and p columns 
with entries from the set {1, 2, *}. Let ko and t be positive integers. We assume 
that 

(i) for every two rows i\ and i^ there exists a column j such that bi^j = 1, 
bi^j — 2 or bi^j — 2, 

p 

(a) for every row i the inequality ^ bij < t holds (a sign * does not give an 

i=i 

influence to these sums). 

(Hi) in every row the number of ones does not exceed ko. 
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If the matrix B satisfies all properties (i), (ii), (Hi) we say that B is a proper 
(fco) k,p, t) -matrix. 

The proper {ko, k, p, f)-matrix is denoted in [11] by Bkg,k,p,t- 
The next definitions were given in [11]. 

Definition 2. A Boolean function f = f{xi, . . . ,Xn) depends on a pair of its 
variables (xi,Xj) quasilinearly if f{x') f{x") for any two vectors x' and x" of 

length n that differ only in ith and jth components. A pair (xi,Xj) in this case 
is called a pair of quasilinear variables in f. 

Definition 3. Let F be a set of Boolean functions such that for every s, 0 < 
s <k, the set F contains an (m-\- s) -resilient function on with nonlinearity 

at least — 2™+^) (\ is not necessary integer). Moreover, we assume that 

each fs contains s disjoint pairs of quasilinear variables. Then we say that F is 
a <S'n,m,fe,A-system of Boolean functions. 

The next theorem was proved in [11]. 

Theorem 1. [11] Suppose that there exists an S n, m, kg, system of Boolean func- 
tions F and there exists a proper (ko,k,p,t) -matrix B, n >2p — t. Then there 
exists an Sn+k+t,m+t,k,\-system of Boolean functions. 

An application of the construction given in Theorem 1 is denoted in [11] by 
Sn.m.kg .\Tkg ^k,p, t — Sji-\-k+t,m+t,k.X- 

Lemma 1. [11] There exists an 82 ,- 1 , 2 . 1 -system of Boolean functions. 

Indeed, the functions f( = X 1 X 2 , f[ = {xi 0 X 2 )x^ 0 /2 = 0 X 2 ){x^ 0 

xfi)(Bxi(Bx^ forms the 5'2,_i, 2 , 1 -system of Boolean functions, i. e. for t = 0, 1, 2 the 
system contains (20i)-variable (— l0i)-resilient Boolean function of nonlinearity 
2i+i _ 2 \ 

The results of [11] demonstrate that if there exists a proper {k, k,p, t)-matrix 
then there exists a constant C such that for any n and m provided m > -j^n-kC' 
there exists an m-resilient n-variable Boolean function with the nonlinearity 
2^-1 _ 2 "i+i^ Thus, the important problem is to construct a proper {k,k,p,t)~ 
matrix with ratio as small as possible. In [11] it was given an example of a 
proper (4, 4, 6, 6)-matrix where the value is equal to 0.6. 

In this work we study the problem of the existence of proper {ko,k,p,t)~ 
matrices. 



Lower Bound for the Value 



In this Section we prove that there does not exist a proper (fco, k,p, t)-matrix if 



< 



k-lt log2(05+l) 



= 0.5902... 



Lemma 2. If there exists a proper {kQ,k,p,t) -matrix B then for any p' > p 
there exists a proper {kg, k,p' ,t) -matrix. 
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Proof. We obtain a proper (/cq, t)-niatrix simply adding p' — p new all-* 
columns to B. □ 

The next lemma is obvious. 



Lemma 3. If there does not exist a proper {kQ,k,p,t) -matrix B then for any 
kg < ko there does not exist a proper {kQ,k,p,f} -matrix. 

In this paper we consider a Boolean cube B^ as the set of all vectors {x\, 
..., Xp) where Xi G {1,2}. The Ith level of the Boolean cube BP is the set 
of all vectors of BP with exactly I ones. The cardinality of fth level of BP is 
({*). A proper {ko, k,p,t)-ma,tnx B can be interpreted [11] as a collection of 2^ 
disjoint subcubes in Boolean cube {1, 2}p. Indeed, a row of B can be interpreted 
as a subcube where the components with * are free whereas the components 
with I or 2 are substituted by correspondent constants. The property (i) of a 
proper matrix provides that subcubes are disjoint. The properties (ii) and (iii) 
characterize the location of subcubes in a cube and the size of subcubes. 



Theorem 2. There does not exist a proper {ko, k,p,t) -matrix for 



t 1 

k -\-t log2(-\/5 -I- 1) 



0.5902... 



Proof. By Lemma 3 it is sufficient to prove this theorem for ko = t. 

Let B be an arbitrary proper (t, t)-matrix. We can consider B as the 
set of disjoint subcubes of the Boolean cube BP if we consider each row of B as 
a subcube. These subcubes are disjoint by item (i) in definition 1 of a proper 
matrix. 

If t is even then we replace in rows with odd number of ones some asterisk 
by one (if there are not asterisks in a row then we add preliminary all-* column 
to the matrix B, after this procedure the parameter p will increase but this is 
not important for us) . If t is odd we do the same for all rows with even number 
of ones. Now for even t all rows contain even number of ones and for odd t all 
rows contain odd number of ones. If the matrix B contains rows where the sum 
of ones and twos is less than t—1 then we replace asterisks in these rows by twos 
(adding if necessary new all-* columns to B) until the sum of ones and twos will 
become greater than t — 1, i. e. t. 

Thus, without loss of generality we can assume that the sum of ones and 
twos in any row of B is exactly t. 

Consider a subcube defined by a row of B with exactly s twos and exactly 
r ones. Then fth level of Boolean cube BP contains exactly vectors of 

this subcube if ^ = r, . . . ,p — s, and does not contain such vectors for another 1. 

Suppose that t is even (for odd t the reasoning is analogous). Then Ith level 
of Boolean cube contains vectors from each subcube defined by the 

rows of B with exactly t/2 twos and exactly 0 ones, ^ 2 ~^) '^^ctors from 

each subcube defined by the rows of B with exactly t/2 — 1 twos and exactly 
2 ones and so on. Denote the number of rows of B with exactly i ones by c^. 
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*/2 / X 

Then for any I = 0,1,. . . ,p the next inequality holds: ^ C 2 i ( ) — (^) ■ 

i/2 

It follows *^ 2 i (;_2iy^-i72-'i+i)! — i\{p-l)\ ' ^o^e that adding new all-* columns 

i—Q 

to B we can obtain a proper (t, t)-matrix for any p' > p. Thus, if there 
does not exist a proper (t, t)-matrix for any p' > p then there does not 
exist a proper (t, k,p, t)-matrix B. Therefore below we can suppose p as large as 
necessary. Then 

^ + . . . 

^ ((ap)‘-2* + af (ap)‘-2*-i + . . .)(((! - a)pY + af((l - a)py~^ + ...)- 

pt _ 

{{apY + b"^{apY~^ + ■ ■ -)((p(l ~ + b^{p{l — 0 ?))*/^“^ -I- . . .) 

where a\ , of , ,Y ,b’^ ,b^ — numbers that do not depend on p. 

Next, we multiply both parts of this inequality by and transform the 

fractions. We have 



i/2 

2=0 



t/2 



(1 -h max{a,}/p -h 0(l/p^)) ^ C 2 ^ 



i=0 



oc 



2 \ * 



1 — a 

where Oj, 6 do not depend on p. It follows 

1 



a 

1 — a 
< 



1 



(1 - a )*/2 



(l + ajp + 0{l/p^)) < 
(l + b/p + 0(l/p'^)) 



2=0 



< 



1 — ay (1 — a)^/^ 



(l + 67p + 0(l/p2)). 



Pointing in a view that we can take p as large as desired for fixed remained 
parameters, we have 



i/2 

^C2^ 

2 = 0 



a 



2 



1 — a 



2 



1 

- (l-a)t/2- 



To find the sum of Cj we take a = (the root of the equation ^7// = !)• 

This number is irrational but we can approach it by the sequence of rational 
numbers. As a result, we have: 



Ii/2J 

< 



i=0 




t 



[t/2j 

Therefore, k < log 2 X) ^ 2 i < 

j=0 




and tYt > tY= — r. 

t+k log2(V5-|-l) 



□ 




260 



M. Fedorova and Y. Tarannikov 



5 The Sequence of Proper Matrices with 7 ^ — ^ 0.5902 . . . 



In the previous Section we had demonstrated that for any proper {ko,k,p,t)~ 
matrixthe inequality (^+ 1 ) “ 0.5902... holds. Nevertheless, it appears 

that the ratio can approach the value j^g = 0.5902... with arbitrary 

precision. In this Section we construct proper (kg, k,p, t)-matrices with ratio 
close to Jog (.^+ 1 ) ^ ^ where a < -\/51og2 ^ 

Lemma 4. Suppose that a < -\/51og2 • Let 

'VE+1 



= 1.5523.... 



■ 



kn = 




1 



L^J 

fco+l 



> 



l^ t + fcQ + l J 

kQ-\-3 



Then 

0 ( 1 )). 

Proof. We solve the inequality 

t+fcp — 1 

2 

fco + 1 



+ - l0g2 
a 



(1 + 0 ( 1 )) and 



V5+ 1 
2V5 

fco+2 



- 1 



> 



|^ t + fcp+2 j 

fcp+4 



(1 



> 



2 

k() 3 



(1) 



(in the second case we have the same asymptotics). Using the factorial represen- 
tation for binomial coefficients we solve the quadratic inequality for ko consid- 
ering t as some parameter. As a result we obtain that the inequality (1) holds 
if 

A:o> ^f(l + o(l)). (2) 



But by the hypothesis of Lemma we have that kg is asymptotically L log 2 

and a < -\/51og2 • K follows the same condition (2) on ko that completes 



the proof. 



Theorem 3. For any a, 0 < a < -\/51og2 = 1.5523 . . ., and any £ > 0 

there exists a proper {ko,k,p,t) -matrix such that < j^g (.^+ 1 ) ^ ^ ^ 



ako- 



Proof. If this Theorem holds for some a, 0 < a < -\/51og2 j, then, obvi- 

ously, this Theorem holds for any o', 0 < a' < a. Therefore we can assume that 
a > log2 = 0.6942... 

At first, we construct recursively the sequence of matrices At, t = 1,2, . . ., 
that satisfy properties (i) and (ii) of proper matrices but the number of rows in 




On the Constructing of Highly Nonlinear Resilient Boolean Functions 261 



these matrices is not necessary power of two. We denote by s(t) the number of 
rows in the matrix At obtained after tth step. 

At tth step we construct the matrix At such that the sum of ones and twos in 
any row of At does not exceed t and for any two different rows of At there exists 
a column such that one of these two rows has one in this column, and the second 
row has two in this column. We suppose that the matrices At-i and At -2 were 
constructed at the previous steps. We suppose that the matrices At-i and At -2 
have the same number of columns (in opposite case we add to one of them the 
deficient number of all-* columns). Next, we add to each of these matrices from 
the right side an additional column: the all-ones column to the matrix At-i and 
the all-twos column to the matrix At- 2 - Write the obtained matrices one over 

another. We say the resulting matrix is the matrix At, At = i | . 

\Aj_2 2 J 

The matrix At is the matrix of desired form such that the sum of ones and 
twos in each row of At does not exceed t. The number of rows in At is equal to 
s{t) = s{t — 2) -I- s{t — 1). Thus, s{t) forms the Fibonacci sequence and s{t) is 

asymptotically ^ if we take the matrices Ai = ( 1 ) and A 2 = 

^ ^ as initial. In this construction the matrix At contains the rows with the 



:log2(A“ 






number of ones greater than fcp {t, a) = 

Calculate the ratio of the number of rows that contain more than ftp ones to 
the number of all rows in At (i. e. s(t)). Denote by lj(t) the number of rows 
with exactly j ones in the matrix At- By construction Iq^I) = lo{t — 2), lj{t) = 
lj{t — 2) -I- lj-i{t — 1) for j > 1. These recursive relations follow the next direct 

( t+j-2 \ / t+j-4 \ 

2 j lo{2) -f y ) li(l) -f 02/2 -f . . . -f ajlj if {t + j) 



t-i 

' t+j- 



( t+j-3 \ / t+j-3 \ 

j J ^o(l) + y jli J ^ 1 ( 2 ) + CI 2 I 2 -I- ... -I- ajlj if {t + j) 
odd where G 2 , ■ - ■ ,aj — some numbers and arguments of I 2 , ■■■ ,lj are 1 or 2 (it 
depends on the parity) . For initial matrices Ai and A 2 introduced above we have 
|g(l) = 0, lo{2) = 1, ^ 1 ( 1 ) = h{2) = 1, lj{l) = lj(2) = 0 for j > 2. Therefore, 

( t+j-2 \ / t+j-4 \ / t+j-3 \ 

J j + ( j j if (t + j) even and lj(t) = j if (t + j) odd. 

It follows 



E ’-jit) 

j=ko{t,a) + l 

s{t) 



< 



const • 



< 



(by Lemma 4 for ko{t, a) = ^ loga ^ logs “ 1 ) 



V 2 J 

{t - ko{t,a)) 



const 



|- t + fco(t,a)-1 1 

ko(t,a) + l 



(A“) 



< 
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(denoting v = log 2 and using the Stirling formula), 



< const • t- 



const • Vi 



(^) 






( 



const • Vi 



(i + ^)Ki+s) 






It is easy to check that the expression in the parentheses increases monoton- 
ically on a for log 2 = 0.6942 . . . < a < v^log 2 = 1.5523 . . . 

and takes the value 1 for a = -\/51og2 . Therefore this expression takes 

Yl+i\ 



values less than 1 for log 2 



< a < 



-\/51og2 2 ^^ j ■ It follows that 



0 for log 2 < a < v^log 2 • 



E h(‘) 

j = kQ(t,a) + l t- 

s{t) 

Thus, in the matrix At the number of rows that contain more than ko{t,a) 
ones is asymptotically small with respect to the total number of rows. We 
eliminate from the matrix At all rows that contain more than ko{t,a) ones. 
For sufficiently large t the number of such rows is smaller than 2^^*^ where 
k{t) = [log 2 s{t)\ — 1; therefore the obtained matrix will contain at least 
rows. Now the matrix satisfies the property (iii) of a proper matrix (see Definition 
1) for ko = ko{t, a), k = k{t). Next, we eliminate if necessary some rows more to 
obtain the matrix with exactly 2^*^*^ rows. As a result, we have constructed the 
proper (fco(t> o), fc(t),P, t)-matrix for some p. Thus, for the sequence of proper 
(fco(f j ^(f))Pj f)-niatrices constructed above we have 



t + k{t) 1+ _ Ij log2(y5+l) 



and 



k{t) 






<'■“> LF»g.(#i) + bog2(fS‘)-i 



a, 



moreover, if a > 1 then 



HA 



ko{t,a) 

The conclusion of the Theorem follows. 



> a for the infinite sequence of t. 



Remark. Note that in the construction in the proof of Theorem 3 in fact we 
have p = 1 for t = 1 and p=t— lfort>l. 
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6 Constructions of New Record Highly Nonlinear 
Resilient Boolean Functions 



In this Section by means of proper matrices constructed in the previous Section 
we construct m-resilient n-variable functions with maximum possible nonlinear- 
ity 2”“^ — 2™+^ for m = -|- O (log 2 n) = 0.5902 . . .n + O (log 2 n). 

Until now such functions with maximum possible nonlinearity 2”“^ — 2™+^ were 
known only for m > 0.6n — 1 [11] and some small set of concrete parameters n 
and m. 

Lemma 5. For any positive integer k there exists a proper (1, k, 2^ -|- 1, 2^ -h 1)- 
matrix. 



Proof. We form the quadratic matrix B of order 2* -|- 1 writing in its rows all 
possible cyclic shifts of the row (122 . 2 > 1 = * . * ). It is easy to check that in this 

2fc-l 2'“-! 

matrix for any two different rows there exists a column such that one of these 
two rows has one in this column, and the second row has two in this column. 
The sum of numbers in each row of B is exactly 2* -|- 1. Eliminating any row 
from B we obtain a proper (1, k, 2* -|- 1, 2^ -h l)-matrix ^ 

Lemma 6. For given positive integer k and infinite sequence of positive integer 
n there exist proper Sn,m,k,\- systems of Boolean functions for some m. 

Proof. By Lemma 1 there exists an S' 2 ,- 1 , 2 , 1 -system of Boolean functions. Using 
Lemma 5 we apply 

S'2, -1,2,1 (T’l, 1,1,2)^ + + 

By Theorem 1 this construction is valid if 2 -|- 3/i > 2^ -I- 1. Therefore for all h 
provided h > ^ we construct S 2 fc+fc+ 3 /i+ 3 _ 2 '^-i- 2 /i,fc,i“System of Boolean func- 
tions. □ 

Note that the constructions in Lemmas 5 and 6 are obviously nonoptimal 
from the practical point of view but more easy for the proof. 



Theorem 4. It is possible to construct m-resilient n-variable function with max- 



imum possible nonlinearity 2” ^ — 2™+^ for m = 



log2(U5 + l 



-n-kO(log 2 n). 



Proof. We use proper (/co(t, a), ^(-matrices constructed in the proof of 

Theorem 3. Note that by Remark after the proof of Theorem 3 we have p = t—1 
for t > 2. We choose 1 < a < -\/51og2 = 1.5523... and form the 

sequence to, t\, t^, . . . recursively. By Theorem 3 for given a beginning with 
sufficiently large t the matrices constructed in the proof of Theorem 3 are proper 
{ko{t,a),k{t),p,t)-ma,tnces. We denote this sufficiently large t by (we can 
assume that > 2). Suppose that U and k{U) are already defined positive 
integers. Then we define as the maximal positive integer such that 



ti+i 

a 



log2 



(^) 



-f - l0g2 
a 




- 1 



ko(ti+i, a) 



k{ti). (3) 
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It is easy to see that ko{t, a) is nondecreasing on t and ko{t+l, a) — ko{t, a) < 1, 
therefore this definition of ti+i is correct. Finally, we put 



k{U+i) 



U+i log2 



(^) 




- 1 • 



(4) 



The recursive definition is completed. 

For defined to by Lemma 6 we construct S'„p_mo,fc(io),i“System of Boolean 
functions such that no > — 2. After this we define recursively: 



,m,+i ) ,1 ; ^ 0, 1, 2, . . . 

Here n-i+i = n* + fc(ti+i) + U+i, rm+i = mi + U+i. 

By Theorem 1 this construction is valid if n-j > 2pi^i~ti^i = — 2 for all i. 

We prove this statement by induction on i. We have no > ti — 2 by construction. 
Next, suppose that n* > ti+i — 2. Then using (3) and (4) we have 



ni+i — ti+2 + 2 — ni + k{ti+i) + ti+i — tj+2 + 2 > k{ti^i) + 2ti+\ — ti^2 ^ 



ti+i log2 



'VE+1 



{2-a) + V5 ^log 2 






-l0g2 



'VE+i 

2^5 



-1 + 



■Ofe (^) 

iog2 ( 



> ti+i ■ 0.3107... - 0.3123... > 0 



since ti+i > 2. Thus, we use the Theorem 1 correctly. After q steps we have 
q q 

nq = no+Y. iHti) + U), niq = mo+Y. From (4) we have T^fyiy (k{ti)- 



q 

mo + ^ ti 



< u < 



log2(^) 



[k{ti) - log2 + l) • It follows 






"o + ^(fc(ii)+i.) ( 1 + 



Y Ku)+0{q) 



log2(Y5+l) 



+ 0 



( — 



It is easy 



to see that q = 0(log2 riq). Therefore, rriq = + 0(log2 riq). □ 



7 Constructions of Proper Matrices 
by Means of Cyclic Matrices 

The construction of proper matrices in Section 5 gives the best limit value for 
the ratio but in general does not give the best possible matrices for concrete 
parameters. In this Section we discuss the method that probably gives the best 
possible in some sence concrete proper matrices. 

We denote by S(t) the maximum possible number of rows in matrices that 
satisfy properties (i) and (ii) of proper (t, fc,p, t)-matrices but the number of 
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rows in these matrices is not necessary power of two. By the proof of Theorem 



2 we have S{t) < • Below we show that S{t) = 






at least for 



1 < t < 10. We search desired matrices for odd t in the class of matrices with 
p = t that contain with each its row also all possible cyclic shifts of this row. 



Theorem 5. S{t) = 



(^) 



for 1 < t < 10. 



Proof. For t = 1, 3, 5, 7, 9 we give the desired matrices Mt directly. Below we give 
in the matrices only one row from each class of cyclic shifts. 



Ml = { 1 } , M3 = 



5 = 




Afj = 




Mo = ( 



> . 



For t = 2 we put M 2 = 



(here we do not use cyclic shifts). Thus, 



S'(l) = 1, S{2) = 2, S'(3) = 4, S'(5) = 11, S{7) = 29, S'(9) = 76. If t is even, 



t > 2, then 



(# 1 ) 



{ 75+1 

V 2 



t-1 



(# 1 ) 



t-2 



. Therefore if t is even. 



t > 2, and desired matrices Mt -2 and Mt-i are constructed already then the 
matrix Mf can be constructed in the form 

/ l\/l . . 1 

Mt = 



Mt-i 1 



^ M(_2 * ^ 2 ^ 

Thus, 5(4) = 6, 5(6) = 17, 5(8) = 46, 5(10) = 122. 
Hypothesis. 5(f) = 



□ 



(# 1 ) 



Note that if fco < t then a proper {ko, k,p,t)-ma,trix can be obtained from 
Mt by the cancelling all rows where the number of ones is greater than fcg and 
some rows up to the nearest power of two. 

Using the matrices Mg and Mio as initial in the recursive construction of 
Theorem 3 we have constructed the 172-variable 102-resilient function with max- 
imum possible nonlinearity as 

52,-1.2,i72^2.2,472,4,7,8T4,5 j^875,6,9,976,9+4+4T9^10+5+5 
Ti0,11,16,167ii + i + 6,167ii, 9+3+3 = 5i72, 102,9, 1 ■ 
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These are the smallest parameters that we have found improving the bound in 

[ 111 - 
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Abstract. The paper describes two algorithms for personnel identifica- 
tion, data authentication and digital signatures. Both are based on the 
intractability of finding square roots over finite fields and also can be an 
identity-based scheme. The outstanding feature of these two algorithms 
is its speed. Also a concept of interlocking equations is introduced which 
in effect acts like a one-way function. 

Key words: Cryptography, digital signature, personnel identification, 
data authentication, interlocking equations. 



1 Introduction 

In an era where increasingly sensitive information is transmitted digitally and 
business transactions are done between people or firms located at far corners of 
the globe mostly using an insecure public medium, it has become imperative that 
enough security is guaranteed in such systems to boost the user confidence. The 
data authentication, digital signature and personnel identification schemes pro- 
vide the much-needed security for these systems. These cryptographic features 
had its conception in a path breaking paper presented by Diffie and Heilman [1] 
in 1976. It is also to be noted that these added security measures should no way 
degrade the performance of such systems in terms of simplicity, response time, 
user friendliness, cost etc. 

Most of the popular digital signature algorithms like RSA, DSA, Schnorr 
scheme etc use modular exponentiation with a modulus length of the order of 
1000 bits. Using Brickell scheme [2] this will require on an average 250 modular 
multiplications. Also as time goes the scheme has to opt for longer keys for 
sustaining the security level, the required number of multiplications increase 
proportionately. This puts a constraint on the processing power of the system, 
which becomes a severe handicap in the case of smart cards, handheld secure 
devices, portable systems etc. Hence any cryptographic scheme which reduces 
the number of multiplications without doing any appreciable sacrifices on other 
fronts will always be welcome [3]. 

One more problem with the above schemes is that they are not identity 
based. This means an additional key certification phase as well as less flexibility 
for introducing user dependent features into the secure system. 
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The proposed algorithms address the problems plaguing the broad areas of 
personnel/entity identification, data/message authentication and digital signa- 
ture generation. The main obstacle, which is seen in current schemes in these 
areas, is lack of speed. Also it is observed that if one scheme is superior in one 
specification it is left wanting in other specifications. The algorithms discussed 
below, apart from having speed, have a very few public keys; identity based 
and simpler to fabricate which is extremely handy in the case of smart card 
implementations for achieving cost effective systems. 

2 Method 1 

This method uses a set of unique interlocking equations as its backbone. The 
security derives from the interlocking feature of these equations as well as the 
intractability of finding the square roots of huge numbers over finite fields [4]. 
These equations taken independently resemble the scheme by Ong, Schnorr and 
Shamir [5]. 

2.1 Interlocking Equations 

The two interlocking equations have three inputs I\, I2 and I3 such that modulo 
square of one of them added/subtracted modulo to/from modulo square of each 
of the other two will give its outputs Oi and O2 respectively. 

01 = l| ± Ii mod n 

02 = /| ± if mod n 

It can be seen that given the inputs the outputs can be determined easily 
but the reverse process is not so. Even though each equation can be solved in 
polynomial time using Pollard method [6], when it comes to the second equation 
because of the interlocking nature, the problem boils down to finding square 
root over finite fields. In other words these set of equations exhibits a one-way 
property which can be used effectively for cryptographic purpose. 

There are two modes of operation for issuing the private keys. These can be 
also considered as examples of identity based scheme [7]. 

2.2 Trusted Party Mode 

In this mode the trusted party will issue the private keys. First it will generate a 
modulus n, which is a product of two big primes and then publishes n but keeps 
the prime factors secret. The modulus n will be common to all users in the group. 
Any user who wants to become a group member has to approach the trusted 
party with his/her/entity credentials like voter’s identity card, passport, ration 
card, social security number, company registration details etc. If the trusted 
party is convinced about the user’s identity, then it starts the process of issuing 
the private key. From the supplied credentials two identity strings /i(s) and l2{s) 
are generated based on a fixed and widely published format. 
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Now /i(s) and l2{s) are assigned to the outputs of a set of interlocking equa- 
tions as shown below. The three private keys {ri,r2,r3) are such that modulo 
square of one of them subtracted modulo from modulo square of the other two 
should get the identity strings Ii{s) and l2{s) respectively. 

/i(s) = r 2 — r I mod n 
-^2(5) = 1^3 ~ 1^1 mod n 

For achieving this ri is replaced by a random number. Since in a finite field 
less than half of the numbers only will have square roots, first it is tested whether 
square root exists [8] for modulo sum of modulo square of ri with modulo squares 
of /i(s) and l2(s) respectively. Now ri is changed until square root exists for 
both conditions. The resultant square roots are the other two private keys T2 
and T3. 

It is to be noted that without the knowledge of the prime factors of n it is 
virtually impossible to find modulo square roots or in other words the private 
keys. The identity strings /i(s) and l2{s) are the two public keys of user A. The 
common public key for all the users is the common modulus n. 



2.3 Independent Member Mode 

In this mode each user will generate their private keys. So each user will create 
his own modulus n, which will be published as a public key apart from his 
identity strings as in the earlier mode. It may be noted that the trusted party 
is not fully dispensed with. Trusted party has a role to play in the form of 
authenticating user public keys where the user presents his credentials and public 
keys to the trusted party. If the trusted party is convinced about the credentials 
it issues its signatures for the user public keys. This is done to prevent somebody 
impersonating others. l2(s) and n are the public keys of the user. There 

is no common modulus. 



3 The Method of Operation for Different Applications 

3.1 Personnel Identification 

In this mode prover can prove his identity to the verifier or the verifier can 
verify prover’s identity, either way. The protocol starts with the prover sending 
a prompt string to the verifier. For that the prover creates random numbers x, 
y and z using a cryptographically secure random generator [9]. Then they are 
assigned to the inputs of a set of interlocking equations. Its outputs pi and p2 
will be modulo difference of modulo square of x with modulo squares of y and z 
respectively. 



Pi = y^ — x^ mod n 
P2 = — zP' mod n 




270 



D. Ramesh 



Two more constituents of the prompt string and pi are obtained as follows. 

P3 = 2(r2 * y — ri * x) mod n 

P 4 = 2 (ra * z — Ti * x) mod n 

Prover sends Pi,P2,Ps,P4 along with his identity string to the verifier to 
initiate the process. In independent member mode the prover has to attach his 
public key signatures also so as to facilitate the verifier to authenticate the public 
keys. 

After receiving the prompt string the verifier authenticates prover’s pubic 
keys using its signatures and the modulus of the trusted party which would 

have been widely published (only in the case of independent member mode) 

and then creates random numbers a and b and sends it to prover as a challenge 
string. When prover receives the challenge he creates his response or in other 
words his digital signature {p 5 ,p&,P 7 ), which is unique in terms of his identity 
strings, verifier’s challenge string and the private key information, which he alone 
possesses. 



P5 = ri*a + x *6 mod n 
Pe = r2*a + y*b mod n 
P7 = T3*a + z*b mod n 

After getting the response from the prover the verifier imposes two conditions. 

Pe — P 5 = Ii{s) * + Pi * b^ + Ps * a * b mod n 

p^ — p^ = 12(3) * + P2 * b^ + P 4 * a * b mod n 

This will verify whether prover possesses the private key information without 
leaking a single bit of information about it. This is an example of zero knowl- 
edge test. Proving of possession of private key information in turn proves the 
genuineness of the identity string he has presented. In other words the identity 
of the prover is proved beyond doubt. 

It is important to mention that similar results can be obtained by changing 
the signs (i.e. -I- to — ) in the equations pi to pr and then appropriately changing 
the signs in the test conditions such that the relations are valid. 

Now all the hackers in the universe can lay their hands on pi to pz but will 
not be able to get any bit of information about the private key unless they 
know the prime factors of n. Since prime factors are not made public one has to 
factorize n, a huge number (of the order of 1000 bits) that may take millions of 
years with all the processing power one can get. 

Before leaving this section a brief mention about the response time or pro- 
cessing time of the whole system. It can be seen that the prover module requires 
only six modular multiplications on line and only five modular multiplications 
off line. The verifier module requires only eight modular multiplications on line 
and only three modular multiplications off line. But the size of the signature (pi 
to py) is slightly large compared to other popular schemes. 
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3.2 Data Authentication 

In this mode any message originating from prover can be authenticated as orig- 
inated from prover himself and nobody else. Here the process is same as above 
till the prover receives the challenge. Then he hashes or in other words creates a 
message digest from the combination of challenge string, the actual message, the 
prompt string and the identity string of the prover and uses the resultant strings 
to create his signature (Inclusion of identity string for hashing is optional) . This 
will be sent to the verifier. (In independent member mode the signatures of the 
public keys of the prover are also attached). 

Verifier already in possession of all the strings creates the same message digest 
and then using the received signatures does the verification as mentioned earlier 
(In the case of independent member mode, signatures of prover public keys are 
verified first). If verified true then the verifier can be sure that the message has 
indeed originated from the prover as described by the identity string and further 
actions can be taken depending upon the content of the message. 



3.3 Digital Signature Generation 

In this mode the digital signatures is created as in the case of a data authenticator 
except that prompt string is not sent to the verifier and challenge string is absent. 
This means there is no communication between verifier and prover. Here the 
message digest is created from a combination of prompt string, prover’s identity 
string and the message (Inclusion of identity string for hashing is optional) . The 
resultant two strings are used by the prover to create the signatures. Now the 
signatures are attached to the message, prompt string and the identity string 
(In independent member mode the signatures of the public keys of the prover 
are also attached). 

The verifier when supplied with the signed document/data retrieves the 
prompt string and message and creates the same message digest. (In the case of 
independent member mode the public key signatures supplied are also retrieved 
and then authenticated before proceeding further) The resultant strings are used 
to verify the signatures attached. 



4 Method 2 

This method is based on Pythagorean triplet [10]. The security is derived from 
the intractability of finding square root of huge numbers over finite fields. This 
can be also considered as identity based scheme. 

There are two modes of issuing the private key as in the case of method I. 



4.1 Trusted Party Mode 

The procedure follows similar lines as in the case of method I till the generation of 
identity string. From the supplied credentials the identity string I (s) is generated 
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based on a fixed and widely published format. Since in a finite field less than 
half of the numbers only will have square roots a short random string of length 
a few bits long is concatenated with / (s) which have to be varied until a square 
root is obtained. 

Now J(s) concatenated with the short random string is the public key (Puk) 
and reciprocal of the square root of Puk modulo n is the private key (Prk) of 
the user. It is to be noted that without the knowledge of the prime factors of n it 
is virtually impossible to find modulo square root or in other words the private 
key. The common public key for all the users is the common modulus n. 

4.2 Independent Member Mode 

In this mode each user will generate their private keys. So each user will have 
his modulus n, which will be published as a public key apart from his identity 
string as in the earlier mode. It may be noted that the trusted party is not fully 
dispensed with. Trusted party has a role to play in the form of authenticating 
user public keys where the user presents his credentials and public keys to the 
trusted party. If the trusted party is convinced about the credentials it issues 
its signatures for the user public keys. This is done to prevent somebody imper- 
sonating others. One noticeable difference from the earlier mode is the absence 
of the short random string. Here if /(s) is not having a square root under the 
present modulus n, n is changed till the square root exists. Private key (Prk) is 
the reciprocal of square root of /(s) modulo n. I(s) (Puk) and n are the public 
keys of the user. There is no common modulus. 



5 The Method of Operation for Different Applications 

5.1 Personnel Identification 

In this mode prover can prove his identity to the verifier or the verifier can verify 
prover’s identity, either way. The noticeable difference is there is no need for a 
prompt string from the prover. In independent member mode the prover has to 
attach his public key signatures created by a trusted party also so as to facilitate 
the verifier to authenticate the public keys. 

The verifier authenticates prover’s pubic keys using its signatures and the 
modulus of the trusted party which would have been widely published (only in 
the case of independent member mode) and then creates a random number c and 
sends it to prover as a challenge. When prover receives the challenge he creates 
his response or in other words his digital signature, which is unique in terms of 
his identity string, verifier’s challenge string c and the private key information 
he alone possesses. The two signatures, pi and p 2 are created as follows using 
diophantine solutions for the Pythagorean triplets [11]. 

V = c* (2^)”^ modn {u is a random number) 

Pi = u + V modn 

P 2 = Prk{u^ — v^) modn 
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After getting p\ and p 2 from the prover the verifier imposes one condition, 
which will test whether prover possesses the private key information without any 
need to leak a single bit of information about it. This is an example of a zero 
knowledge test. The test is whether 

Puk * p\ mod n = p\{p\ — 2c) mod n 

Proving of possession of private key information in turn proves the genuine- 
ness of the identity string he has presented. In other words the identity of the 
prover is proved beyond doubt. 

The same result can be obtained by changing the signature equations. 

Pi = (u + v)Prk mod n 
P 2 = {v? — v^) mod n 

The test equation becomes, 

P 2 mod n = Puk * p\{Puk *p\ — 2c) mod n 

The same results can be obtained by reversing the signs in the above equa- 
tions as follows. 

Pi = {u — v) modn 
Puk * P 2 mod n = pf(pf + 2c) modn 

Before leaving this section a brief mention about the response time or pro- 
cessing time of the whole system. It can be seen that the prover module requires 
only three modular multiplications on line and one modular inverse off line. The 
verifier module requires only four modular multiplications on line. The signature 
size (pi and P 2 ) is comparable to other popular schemes. 

Here also the eavesdropper will not be able to get any bit of information about 
the private key unless he knows the prime factors of n. Since prime factors are 
not made public one has to factorize n, a huge number (of the order of 1000 
bits) that may take millions of years with all the processing power one can get. 

5.2 Data Authentication 

In this mode any message originating from prover can be authenticated as orig- 
inated from prover himself and nobody else. Here the process is same as above 
till the prover receives the challenge. Then he hashes or in other words creates 
a message digest from the combination of challenge string, the actual message 
and the identity string of the prover and uses the resultant string to create his 
signature (Inclusion of identity string for hashing is optional). This will be sent 
to the verifier (In independent member mode the signatures of the public keys 
of the prover is also attached). 

Verifier already in possession of all the strings creates the same message digest 
and then using the received signatures does the verification as mentioned earlier 
(In the case of independent member mode signatures of prover public keys are 
verified first). If verified true then the verifier can be sure that the message has 
indeed originated from the prover as described by the identity string and further 
actions can be taken depending upon the content of the message. 
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5.3 Digital Signature Generation 

In this mode the signatures for any message is created as in the case of a data 
authenticator except that challenge string is absent. This means there is no 
communication between verifier and prover. Here the message digest is created 
from a combination of the identity string and the message (Inclusion of identity 
string for hashing is optional). The resultant string is used by the prover to 
create the signatures. Now the signatures are attached to the message and the 
identity string (In independent member mode the signatures of the public keys 
of the prover are also attached). 

The verifier when supplied with the signed document/data retrieves all the 
strings and message and creates the same message digest. (In the case of inde- 
pendent member mode the public key signatures supplied are also retrieved and 
then authenticated before proceeding further) The resultant string is used to 
verify the signatures attached. 

6 Conclusion 

Two algorithms for personnel identification, data authentication and digital sig- 
natures are discussed. It needs only a few multiplications for signing as well as 
verifying, as a result of doing away with modular exponentiation. Like majority 
of cryptographic algorithms, the security of these algorithms also relies on the 
absence of methods to find the factors of huge numbers in polynomial time. 
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Abstract. In 1999, Poupard and Stern proposed on the Hy signature 
scheme (PS-scheme), which aims at minimizing the on-line computa- 
tional work for a signer. In this paper, we propose more efficient on the 
fly signature schemes by improving the PS-scheme. In PS-scheme, the 
size of secret-key is fixed by modulus n, so that this feature leads to 
some drawbacks in terms of both the computational work and the com- 
munication load. The main idea of our schemes is to reduce the size of 
secret-key in PS-scheme by using a public element g which has a spe- 
cific structure. Consequently, our schemes are improved with respect to 
the computational work (which means the computational cost for “pre- 
computation” , “(on-line) signature generation” and “verification”) and 
the data size such as a secret-key and a signature. 



1 Introduction 

As well-known, a signature scheme is an important tool for secure communication 
in an open network. Furthermore, a public-key infrastructure (PKI) actually 
requires compact signature schemes. Compactness on both computational work 
and data size, gives users’ convenience, and is acceptable for various application 
to capacity limited devices such as a smart card. 

Focus on the computational work in a generic digital signature scheme^. In 
such a signature scheme, there are two kinds of computation to generate a sig- 
nature, that is, it consists of pre-computation and (actual) signature generation. 
To estimate the efficiency of a signature scheme, we should separately consider 
the computational cost for pre-computation and that for signature generation. 
The information generated at the pre-computation does not depend upon the 
message to be signed. Therefore the pre-computation can be executed in off-line, 
i.e. before a message to be signed is given. This means that such a computational 
cost does not influence the processing time after a message is given. 

On the other hand, the computational cost in the signature generation step, 
does directly influence the processing time after being given a message. With 

^ As well as in [PSOO], in this paper, a generic (digital) signature scheme means a 
signature scheme which can be derived from a three-pass identification scheme by 
using an appropriate hash function. 
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respect to a fast signature generation, Naccache et al. [NMVR94] proposed the 
efficient technique: a trusted authority computes the information in off-line, and 
treats those as coupons. In coupon based signature, the reduction of computation 
work in on line is the very target for fast signature. Consequently, we can say 
that it is a worthwhile work to make the computational cost small in signature 
scheme. 

In 1992, Girault [Gir92] modified Schnorr’s signature scheme [Sch9I] in which 
an RSA-modulus^ is used instead of a prime modulus. This modification leads to 
no modulo reduction in the signature generation. Therefore, in Girault’s scheme, 
faster processing of the signature generation is possible than in Schnorr’s one. 
In 1998, Poupard and Stern [PS98] investigated and gave provable security for 
Girault’s scheme, and named that scheme GPS-scheme. In this paper, we call 
a generic signature scheme in which modulo reduction is not necessary at the 
(on-line) signature generation step, on the Qy signature scheme. 

In 1999, Poupard and Stern [PS99] proposed a generic signature scheme 
(PS-scheme), whose security relies on the difficulty of integer factoring. In this 
scheme, the size of the public-key is smaller than that in GPS-scheme. Gonse- 
quently, compared with GPS-scheme, the computational cost and the data size 
can be decreased, and PS-scheme is seemed more secure under the one-key at- 
tack scenario [PS99]. However, PS-scheme has some drawbacks. For instance, the 
size of secret key is only dependent on modulus n, and considerably large (about 
|n|/2). This drawback leads to inefficient results in both communication work 
and data size. Moreover, computational cost in the verification is very high. 

In this paper, we improve PS-scheme and propose new “on the fly” signature 
schemes (Scheme I and II) which is based on integer factoring. In our schemes, 
a public-key g has a specific structure. Gonsequently, in comparison with PS- 
scheme, the size of secret-key is small (<C |n|/2). In the following, our schemes 
realize a compactness of signature. Especially, the computation work in verifica- 
tion are much reduced by the changing n in a; = mod n (PS-scheme) into 

z in X = mod n (our schemes). 

As for Scheme I, a public-key n is RSA modulus, which is the same as that in 
PS-scheme. The performance in Scheme I is much superior to that in PS-scheme 
and the security is as secure as integer factoring problem for modulus n (in the 
random oracle model). To satisfy the security. Scheme I uses asymmetric basis 
g in Z* which is a variant of [PoOO] , 

As for Scheme II, a public-key n consists of three or more primes instead of 
RSA modulus in Scheme I (or PS-scheme). In [Sil99], we can see several trials 
to get faster computation for RSA cryptosystem [RSA78] by the technique of 
increasing the numbers of the factors of the modulus. Scheme II can make use of 
the very technique. The security is as secure as specially defined mathematical 
problem Ending order problem (in the random oracle model), which is derived 
from integer factoring . 



^ In this paper, we call a modulus to be a product of two distinct primes an RSA- 
modulus. 
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Concrete to say, compared with PS-scheme, the size of a secret-key in Scheme 

1 (resp. Scheme II) and a signature can be reduced by at least 69% and 47% 
(resp. 63% and 43%), respectively. Furthermore, Scheme I (resp. Scheme II) 
has an advantage that the computational cost can also be smaller. Compared 
with PS-scheme, the computational cost in Scheme I (resp. Scheme II) for pre- 
computation, signature generation and verification can be reduced by at least 
38%, 69%, and 64% (resp. 54%, 63%, and 61%), respectively. 

This paper is organized as follows. In Section ??, we will review PS-scheme 
and will discuss it. In Section 3, we will introduce our proposed signature scheme 
(Scheme I), will describe some features of ours, and will give provable security 
for ours. In Section 4, we will introduce an optimized scheme (Scheme II) and 
discuss in the same way as Section 3. In Section 5, we will discuss the security 
consideration with respect to (l)the size of n and (2)the number of prime factors 
with n in our schemes. In Section 6, we will evaluate the performance of our 
schemes by comparing with those of several existing schemes. The conclusion 
will be given in Section 7. 

2 Previous Scheme 

In this section, we review the signature scheme (PS-scheme) in [PS99]. This 
scheme is a generic signature scheme which is derived from the identification 
scheme. We first introduce some notation. The symbol ip{-) denotes Euler totient 
function, that is, f(n) is the number of the natural numbers less than n and 
coprime to n. The symbol A(-) denotes so-called Carmichael function, that is, 
A(n) is the greatest number among the possible orders of elements in Z*. The 
order of an element g G Z* is represented as Ord„(g). 

2.1 Protocols 

In PS-scheme, the following parameters exist: k and k are the security parameter 
and the information leak parameter, respectively. The security parameter k is 
|n|/2, and the information leak parameter k is assumed so that 2'‘-time computa- 
tion is intractable. The parameters A and B satisfy A < n and \A\ = k + k+\B\. 
Also B is assumed that S-time computation is intractable. We use an appropri- 
ate hash function H : {0, 1}* ^ {0, 

Key generation step: The signer picks up two same-size primes p and q, and 
computes n = pq. After that, she picks up g G Z* satisfying Ord„(g) G 
|A(n), A(n)/2} and computes s = n — p(ji) {= p + q — 1). The secret-key is 
defined by s. The corresponding public-key is (ji,g). 

Signature generation step: Imagine that the signer generates a signature for 
a message m G {0,1}*. The signer picks up a random number r G Z^ to 
compute X = mod n, e = and y = r + se. Note that y is the 

very value of r -|- se on Z. The signature for a message m is (e, y). 
Verification step: Given the public-key of the signer {n,g), a message m and 
a signature (e,g), the verifier accepts the signature, if both y < A and 
e = 7t(g^“"'^ mod n,m) hold, and rejects it, otherwise. 
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2.2 Features and Drawbacks 

A secret-key in PS-scheme is s = n — (/?(n) which depends only upon (a part of) 
the public-key n. The two parameters n and s are congruent under the modulo 
and the size of s is about a half of that of n. 

Moreover, the computation of y is executed on Z, and the information on a 
secret-key is protected by computing r -|- se with condition r ^ se. Therefore, 
we can see that the size of r also depend upon that of se. 

In the verification step, the size of y has to be explicitly verified whether the 
condition y < A holds or not. This kind of verification cannot be seen in the 
existing signature schemes [ElG85,NIST91,RSA78,Sch91], hence we can say that 
such a verification indeed characterizes PS-scheme. 

Unfortunately, PS-scheme has the following drawbacks. 

High computational cost for verifier: In the verification step, y ne holds 
actually. And the order of g G Z* is not open. Therefore, the computational 
cost for a verifier is considerably large as |ne| increases. The verifier must 
compute full exponentiation {\y—ne\ bits) calculus such as a: = mod n. 

Inefficiency by the increase of a secret-key size: If the size of a secret-key 
s increase for the security reason, then this scheme shall get inefficient in view 
of (1) the computational cost for pre-computation, signature generation and 
verification, and (2) data size such as the size of signature. 

Restriction for the structure of a public-key n: When we set up a public- 
key n to be the product of three or more primes, the size of a secret-key 
shall accordingly increase. For example, in case n is the product of three 
primes, that is, p, q and r, the secret-key s (= n — pin)) turns out to be 
n — {p — l){q — l)(r — 1) {= pq + qr + rp — (p + q + r) + 1), whose size is 
about 3/2 times of that in case n is the product of two primes. 



3 Proposed Scheme 

In this section, we introduce our signature scheme (Scheme I). The main idea 
of Scheme I is to reduce the size of secret-key by using element g which has 
a specific structure. Furthermore, we wish to construct that Scheme I has the 
same security of PS-scheme, so that the following basis is existed in Scheme I. 

Definition 1 (Asymmetric basis) Let n be an RSA modulus such that n = 
pq. Then we say that g is an asymmetric basis in Z* if the multiplicity of 2 in 
Ordp((/) is not equal to the multiplicity of 2 in Ordq{g). ■ 

We can say that this definition is more relaxed in comparison with that of 
[PoOO]. 



3.1 Protocols 

Scheme I has the parameters k, k, a, b and c, where k is the security parameter, 
that is, the length of the secret-key, and k is the information leak parameter. 
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Scheme I 
n = pq 

Parameter : asymmetric basis g € Z* 

z Gr Z- 2 .C 

s = z mod Ord„((;) 



Scheme II 

n = nLiPi ^ 3) 
element g € Z* 
z Gr Zi<^ 

s = z mod Ord„(gi) 



Signer 



Verifier 



Public-key: n, g, z 
Secret-key: s 



r Gr ^2“ 

X = g^ mod n 



pre-compute (r, x) 



e = H{x, m) 
y = r + se 



m, (e,y) 



Check: 

7 

|y| < a -I- 1 and 
e == H{g^~^'^ mod n, m) 



Fig. 1. Proposed signature schemes 



that is, 2”-time computation shall be intractable. Those parameters are assumed 
to satisfying a > b + k + k and c > fc -|- 2k. The detailed conditions on the 
parameters are mentioned in Section 3.2. We use an appropriate hash function 
H: {0,1}* ^{0,1}'. 

Key generation step: The signer picks up two same-size primes p and q, and 
computes n = pq. After that, she chooses an element g G Z* which is 
an asymmetric basis in Z*. She picks up a random number z G Z 2 <= and 
computes s = z mod g, where Ord„(g) = q. The secret-key is s and the 
corresponding public-key is (n,g). 

Signature generation step: Imagine that a signer having a public-key (n, g, z) 
and the corresponding secret-key s, generates a signature for a message 
m G {0,1}*. Then she picks up a random number r G 1^2°- to compute 
X = g^ mod n and e = H{x,m). She also computes y = r + se, where y is 
the very value of r -|- se on Z. The signature for a message m is (e, y). 
Verification step: Given the public-key of the signer {n,g,z), a message m 
and a signature (e, y), the verifier accepts the signature, if both |y| < a -I- 1 
and e = H{g'^~^^ mod n,m) hold, and rejects it, otherwise. 







280 



T. Okamoto, M. Tada, and A. Miyaji 



3.2 Parameter Generation 

We describe remarks on the parameters for the security of Scheme I. In case of 
signature y = r + se, with |r| = a, |s| = k and |e| = 6, the values of a, b, k, k 
shall satisfy a > & + /c + k for its security. 

If an adversary could figure out r G 1 j* from x (= g'~ mod n) generated by 
the actual signer, then she could break the signature scheme. We can see the 
algorithms to extract r, such as Pollard lambda method in [Po78] and the baby- 
step giant-step method in [Knu98] . One may say that the former is better than 
the latter since it has same computational complexity (exponential-time: 0{y/q)) 
but does not need memory. The size of q shall be set up not so that r can be 
figured out with such an algorithm. 

The information leak parameter k. should be set up so that 2'^-time compu- 
tation should be intractable. 

li y > ze were allowed, then an adversary could impersonate the signer to 
easily compute y, along with the actual protocol, such that x = mod n 

holds. To keep off such an attack, the condition of c > A: -I- 2 k shall be required 
from c-\-b>a-\-K>b-\-k-\- 2k. Furthermore, if g > 2° were satisfied, then s = z 
would hold, that is, the secret-key would be disclosed. Hence also q < 2'^“'^ shall 
be required, and it is always held since q <2^ < < 2'^“'^. 

Next, we describe how to find p, q and an asymmetric basis (/ in Z* . 

— Pick up two primes p = 2p'p" -\- 1 and q = 2q'q” -\- 1 such that p' and q' are 

also primes, and p" and q” are odd numbers. 

— Choose Op e Z* satisfying gp = yf 1 mod p. In the same way, 

choose Uq € Z* satisfying aq ^ q — 1 mod g, a^q yf I mod q and gq = 

q,(9-1)/29 ^ ^ ^ 

— Compute n = pq and g = q{q~^ mod p)gp p{p~^ mod q)gq mod n. 

In the last step, g is computed by using the technique of Chinese Reminder 
Theorem (CRT). Note that Ordp(p) = p' and Ordq(g) = 2q' . Therefore Ord„(g)= 
lcm(p',2g') = 2p'g'. 

Finally, we discuss secure hash algorithm which we should adopt. If H were 
an ideal hash function, then the proposed signature scheme would be secure as 
described in Section 3.3. Since such a random function does not exist in the 
real world, in implementation, we are recommended SHA-1 by [NIST95] which 
is designed so that the algorithm can be a collision intractable hash function 
[Dam88]. 

3.3 Security Analysis 

In this paper, we say that a signature scheme is secure, if no polynomial-time 
adversary A can existentially forge a signature under the adaptive chosen mes- 
sage attack. In this section, we show that Scheme I is secure, by using the forking 
lemma in [PSOO], and showing protocol in signature generation step (see Section 
3.1) can be simulated by a polynomial-time machine in the random oracle model 
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[BR93] . To discuss the provable security, we regard the signature for message m 
as (x,e,y). 

As a strategy, we show that if there exists a polynomial-time adversary which 
can existentially forge a signature under the strongest attack, that is, an adaptive 
chosen-message attack, then we can construct a polynomial-time machine which 
can compute the integer factoring. 

We say that a positive function f{k) : N ^ K is said to be negligible, if for 
any c, there exists a kc such that f{k) < k~‘^ for any k > kc- Otherwise / is said 
to be non-negligible. 

Lemma 2 Let n be an RSA modulus and g be an asymmetric basis in Z*. 
Assume that we find L > 0 such that = 1 mod n. Then we can construct 
a Turing machine M which on input n, g and L outputs a factor of n in time 

om\n?) 

Proof. (Sketch) This lemma is basically due to [PoOO]. Hereafter, we describe 
how to construct M. 

At first, M extract the odd part b of L, such that L = 2“6. Since g is an 
asymmetric basis in Z* , it holds g^^ = 1 mod p and g"^^ = 1 mod q, and also 
holds g^ = 1 mod p and g^ = —1 mod q. Then we have the following results: 
p I p** — 1 and n \ g^ — 1. Consequently, M can find a factor of n by computing 
gcd(p^ — 1 mod n, n). 

Note that modular exponentiation algorithm (resp. extended Euclidean al- 
gorithm) has a running time of 0(|L||np) (resp. 0(|np)). Hence M can execute 
the above steps in time 0 (|L||np). □ 

Theorem 3 Let Q (resp. R) be the number of queries which a polynomial-time 
adversary A can ask to the random oracle (resp. the actual signer). Assume 
that ‘A’qjT^ and 1 / 2 ^ are negligible. Also assume that, by executing adaptive 
chosen-message attack, A can forge a signature with non-negligible probability 
£ > 10(i?-|- l)(i?-|- <?)/2^, and with the average running time T. Then we can 
construct a polynomial-time machine M which can factor n with non-negligible 
probability in expected time 0{QT/e+ 



Proof. (Sketch) We firstly show that the signatures in the proposed scheme can be 
statistically simulated by a polynomial-time machine. This machine is simulated 
according to the protocol like in [PSOO]. 

We denote, by p{a,P,j) and p'{a,j3,^), the probabilities that (a,/?, 7 ) is 
output by the signature algorithm and the simulator, respectively. We set (f = 
(2^ — 1)(2^ — 1), and let TZ : {0, 1}* ^ {0, 1}^ be an ideal hash function (random 
oracle) for a given message m G {0, 1}*. For an integer A and a positive constant 
A, Af{TZ, A, A) is defined to be the number of pairs (e, y) G [0, 2^) x [A,A + A) 
such that 7^(g^“^®,m) = e. Tsavehen we have the following: 
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where for a predicate p, x(p) is the characteristic function of p, that is, x(p) = 
if p is true, and x(p) = Oj otherwise. 

Therefore, the summation S = ^ ^ |p(o;, 13, 7) — p'{ce, /?, 7) | > has a upper 

bound of 8q{2^ — l)/2“, because S = 2(1 — Af(TZ, <j), 2 “ — ^)/2“) holds similarly 
with [PS98], because 2“ — ^ < — </>) holds, and because (j) = (2^ — 

1)(2^ — 1) < (2^ — 1)2(7 follows from 2^“^ < q < 2^. If q/2°' is negligible, then 
so is 8q{2^ — l)/2“, and consequently, the output by real signer and that by the 
simulator are statistically indistinguishable. 

Next, by using the technique in [PSOO], we can get a multiple of Ord„((/) 
such that = 1 mod n. Here g is an asymmetric basis in Z* , therefore by the 
result of Lemma 2 we can get a factor of n. □ 

4 Optimized Scheme 

In this section, we give an optimized scheme (Scheme II) whish is superior to 
Scheme I in terms of computational work for a signer. The main feature in 
Scheme II is that the modulus n consists of three or more primes instead of 
using an RSA modulus in Scheme I. So a signer can make good use of the 
technique of CRT more efficiently. For example, in Scheme II with n having 
three prime factors, the computational cost for pre-computation x (= < 7 ’’ mod n) 
can be reduced to about 4/9 times of that in the Scheme I (or PS-scheme) with 
RSA modulus n. A preprint version of Scheme II can be seen in [OTMOl]. In 
this paper, we consider further concrete security in Scheme II. 

4.1 Protocols 

Key generation step: The signer determines the number of factors, that is, 
t > 3, picks up same-size t primes Pi {I < i < t) and computes n = Yli=iPi- 
After that, she chooses divisor q of A(n) and finds an order-(/ element g G Z*. 
Also she picks up a random number z G Z 20 and compute s = z mod q. The 
secret-key is s and the corresponding public-key is (n,g). 

The other steps are executed in the same way as Scheme I (see Section 3.1). 

4.2 Description 

The conditions of parameters such as k, k, a, b and c are the same as those in 
Scheme I (see Section 3.2). Furthermore, primes pi {1 < i < t) and (7 G Z* will 
be generated under the line of work described in Section 3.2. 

In [PS98,PS99] we can see the two types of attack: one key attack, an adver- 
sary try to forge valid signatures for fixed public key, and possible key attack, an 
adversary try to forge valid signatures for possible public keys, where possible 
public key means any public key satisfying the condition of the parameter. The 
security consideration under the one key attack scenario seems to be more strict 
analysis of security than that under the possible key attack scenario. 
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We have seen that the security in Scheme I is based on integer factoring. On 
the other hand, it is not unknown, under the one key attack scenario, whether 
Scheme II is as secure as the problem or not. To estimate more concrete security, 
we define the following problem. 

Definition 4 (Finding order problem) This problem is as follows. Given 
n e N>i and 5 G Z*, find L, where L is a multiple of Ord„((/) and \L\ is 
bounded by a polynomial in \n\. ■ 

In Scheme II, if we assume the intractability of finding order problem, same 
result like Theorem 3 is obtained. Then the result (i.e. theorem) is proved, with- 
out loss of generality, using in the proof of the Theorem 3. 

5 Integer Factoring Problem 

In this section, we consider the secure size of n, and also discuss secure number 
of the prime factors for n in our schemes. 

Of course, if the modulus n were factored, then the proposed signature 
schemes would be broken. In [LLMP90] , we can see the number Geld sieve method 
for factorization, which is the most efficient algorithm ever proposed, and whose 
running time depends upon the size of n. On the other hand, in [Len87], we 
can see the elliptic curve method, which is also one of efficient algorithms for 
factorization, and whose running time depends upon the size of factors of n. 
Therefore, the faster one is determined according to the size of the input and 
upon the number of the factors of n. 

As for Scheme II, referring to [Sil99] for computational cost of algorithms, in 
case that |n| = 1024 and that n has three prime factors, the number field sieve 
method is faster, whereas in case n has four prime factors, the other is faster. 
Hence supposing that |n| is 1024 and t is 3 in the proposed scheme, and that 
|n| is 1024 in PS-scheme, we can say that the number field sieve method is the 
faster (and fastest) algorithm to factor n in the respective schemes, and that the 
respective computational cost for factoring n can be almost the same. 

6 Performance 

In this section, we evaluate the efficiency of our schemes by comparing existing 
schemes. The parameters in the proposed Scheme I (resp. Scheme II) are set up 
to be |n| = 1024, k = 160 by taking k = 80, 6 = 80 and a = c = 320 (resp. 
|n| = 1024, t = S, k = 192 by taking k = 80, 6 = 80 and a = c = 352). 

Table 1 gives the performance of various signature schemes including ours. 
Here, a primitive arithmetic of binary methods [Knu81] is used. For all 
schemes in the table, we set up the parameter under the line of the one key 
attack scenario. Hence the size of secret-key in GPS-scheme is 1024 bits. For 
more discussion on it, we refer to [PoOO]. 

UMP means the underlying mathematical problem that the signature scheme 
relies on for its security. The terms CPC, CSC and CVF mean the computational 
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Table 1. Performance of signature schemes 



Scheme 


UMP 


CPC 

(xM) 


CSG 


CVF 

(xM) 


SPK 

(bits) 


SSK 

(bits) 


SSig 

(bits) 


Scheme I 

\n\ = 1024, a = 320, 

K = 80 


Integer 

factoring 


240 


80 X 160 


600 


2048 


160 


400 


Scheme II 

\n\ = 1024, a = 352 

t — 3, K, — 80 


Finding 

order 


176 


80 X 192 


648 


2048 


192 


432 


PS-scheme 

[PS99] 

|n| =1024, |T| =672 


Integer 

factoring 


384 


80 X 512 


1656 


1024 


513 


752 


GPS-scheme 

[PS98] 

|n| = 1024 


Discrete log. 
modulo n 


384 


80 X 1024 


1796 


3072 


1024 


1264 



cost for pre-computation, signature generation and verification, respectively. The 
terms SPK, SSK and SSig means the size of a public-key, a secret-key and a 
signature, respectively. 

In CPC, the signer uses the technique of CRT if it is possible. In SPK with 
our schemes, the size of public-key is optimized: we regard actual public-key 
as {n,g), and z is computed hy z = where Ti! is a hash function 

W : {0,1}* ^ (0,1}C 

For respective computational cost, the unit M represents the computational 
cost for one multiplication under a 1024-bit modulus, a x P represents the com- 
putational cost for multiplication of an a-bit number and a /3-bit number on 

Z. 

Since PS-scheme is intended to be used with a modulus product of two strong 
primes, 5 = 2 is a correct basis and do not have to be included in the public key. 
Consequently, we set SPC = 1024 for PS-scheme. Therefore, one may say that 
PS-scheme is more efficient than our schemes in terms of size of public key. 

We can say that the proposed signature scheme is quite efficient one in view 
of both the computational cost and the data size. Concrete to say. Scheme I 
(resp. Scheme II) enables the computational cost to be reduced by 38% (resp. 
54%) for pre-computation, by 69% (resp. 63%) for signature generation, and by 
64% (resp. 61%) for verification, comparing with PS-scheme. For the data size, 
the secret-key size in ours is 69% (resp. 63%) of that in PS-scheme, and the 
signature size is 47% (resp. 43%) of that in PS-scheme. 

By Table 1, we can say that the proposed signature scheme is efficient, and 
requires a relatively weak computational assumption for its security. 
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7 Conclusion 

In this paper, we have proposed efficient signature schemes, which are derived 
from a three-pass identification scheme, and which are constructed by improv- 
ing PS-scheme in terms of a compactness of signature. As well as PS-scheme 
(or GPS-scheme), the proposed schemes are so-called “on the fly” signature 
schemes, that is, it does not require modulo reduction in the signature genera- 
tion step. We have shown that our schemes are existentially unforgeable against 
any polynomial-time adversaries that can execute adaptive chosen message at- 
tack in the random oracle model. Furthermore, the underlying computational 
problem in ours is the integer factoring problem in Scheme I and mathemati- 
cally well defined problem (i.e. finding order problem) in Scheme II, respectively. 
We also have shown that ours are more efficient than PS-scheme in view of the 
computational cost and also in view of the size of a secret-key and a signature. 
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Abstract. In this paper we devise a generalization of the Geffe gen- 
erator that combines more than three periodic inputs over GF(g). In 
particular, clock-controlled shift registers are suggested as inputs. The 
period and the linear complexity of the generated key-stream are esti- 
mated. We also prove some new results about the period of the sequence 
generated by a clock-controlled shift register. 

Keywords: cryptography, key-stream generator, clock-controlled shift 
register, Geffe generator. 



1 Introduction 

The basic building block that we want to use for constructing a key-stream 
generator, consists of a control register CR and a clock-controlled generating 
register GR. A control register generates a sequence of nonnegative integers a = 
{oi}i>o and cycles periodically with period tt. Hereafter in this paper by period 
we mean least period of a sequence, as opposed to multiple period. A generating 
register is an LFSR over P = GF(g) with irreducible feedback polynomial f{x) 
of degree m > 1 and order M. Let b = {&(i)}i>o denote the output sequence 
from the GR when clocked regularly and let a be a root of f{x) in the splitting 
field of f{x). In some cases, further in this paper, primitiveness of f{x) will be 
required. Then A = — 1 will denote the maximal possible order of f{x). Let 

also S denote X)fc=o 

In the clock-controlled mode, the output sequence u = {u(t)}t>o is generated 
in the following way (see Fig. 1). The initial output is u{0) = b{ao). Further, after 
output u{t— 1) has been generated, the GR specifies the nonnegative integer at, 
the GR is shifted at times and then produces the next output u{t). After that, 
the GR is shifted once to be ready for the next iteration. Thus, the general form 
of an output sequence element is 

= for t>0 . (1) 

In the sequel, by irregular clocking will we mean the above type of clock control 
applied to the GR. 
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GR 



Fig. 1. Clock-controlled arrangement 



Section 2 of the paper starts with some results about uniform decimation 
of linear recurring sequences in the field P = GF(g). These results are used to 
estimate the period of a sequence generated by a clock-controlled LFSR. We de- 
rive also some new conditions for sequences, obtained by uniform decimation, to 
reach their maximum linear complexity. Further, we estimate the period of the 
output sequence generated by an arbitrary clock-controlled LFSR with an irre- 
ducible feedback polynomial and an arbitrary structure of the control sequence. 
A sufficient condition for this period to reach its maximal value is formulated. 
Some specific configurations of clock-controlled arrangements with a maximal 
period of the output sequence are defined. Relevant recommendations for esti- 
mating the linear complexity are also presented. 

In Sect. 3 we construct a key-stream generator based on the one suggested by 
Geffe in [1]. Unlike the Geffe generator that has three binary input m-sequences, 
our generator runs over the field P = GF (g) and combines multiple inputs having 
arbitrary periods. In particular, this implies that clock-controlled shift registers 
can be used as inputs. The original Geffe generator can not be used for key- 
stream generation since its combining function is zero-order correlation immune 
and correlation attacks are applied easily. Using clock-controlled registers and 
multiple inputs makes this generator immune against fast correlation attacks and 
less susceptible to basic attacks. We analyze some relevant algebraic properties 
of the suggested generator. 

2 Period and Linear Complexity 
of Clock-Controlled LFSR’s 

First, we need some results about sequences obtained by uniform decimation 
of linear recurring sequences with irreducible characteristic polynomial. These 
results will be used further to estimate the period of a sequence generated by a 
clock-controlled LFSR. 

Definition 1. Let I and k be arbitrary nonnegative integers and fc > 0. Then 
sequenee v = {u(i)}i>o defined by v{i) = u{l + ki) for i > 0 is ealled the uniform 
{I, k)- decimation of sequence u = {u(i)}i>o- Also we will say that v is obtained 
by uniform (I, k)- decimation of u. 

Let f{x) be an irreducible polynomial of degree m > 0 and order M over 
P = GF(g). Further, taking into account the fact that Q = GF(g’”) is the 
splitting field of f{x), let a be a root of f{x) in an extension field Q = GF(g’") 
of P. Let m(k) denote the degree of Rk = P{a^) over P. Let also fk{x) denote 
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the minimal polynomial of over P. Note that fk{x) is irreducible in P[x\. Then 
directly from the definition of extension degree it follows that deg fk{x) = m(k) 
and evidently m{k) \ m = m(l). 

We denote the set of all homogeneous linear recurring sequences in P with 
characteristic polynomial f{x) by Lp{f). If degree of f{x) is m then Lp{f) 
is an TO-dimensional vector space over P. Item (a) of the following theorem is 
a particular case of [2, Proposition]. Item (b) is an easy generalization of [3, 
Lemma 17]. 

Theorem 1 . Under the conditions imposed above, let I and k be arbitrary non- 
negative integers and k > Q, then: 

(a) The uniform {I, k) -decimation defines a homomorphism of the vector space 
Lp{f) onto Lp{fk). This homomorphism is an isomorphism if and only if 
m{k) = m. 

(b) If f{x) is a primitive polynomial and if u is a nonzero sequence belonging 

to Lp{f) then every nonzero sequence w G Lp{fk) can be obtained as a 
uniform {I, k)- decimation of u using exactly different values of I G 

{0, . . . , A — 1}, and the zero sequence can be obtained similarly using exactly 
qm-m{k) _ different values of I G {0, . . . , X — 1}. 

Note 1. Polynomial fk{x) is the minimal polynomial of a^, so it is irreducible. 
Since the order of (that is equal to the order of fk{x)) is given by = 

gcd(^ M) > conclude that fk (x) has order M if and only if k is relatively prime 
to M. Further, if gcd(fc, M) = 1 then fk{x) has degree m. Indeed, the degree of 
fk{x) is equal to the least value of t, t > 0, for which or equivalently 

= p But order = M and gcd(fc, M) = 1. It follows that M \ q* — I and 
thus that t = m. 

Corollary 1 . Let gcd(fc, M) = 1. Then every uniform {I, k) -decimation se- 
quence of any nonzero sequence u G Lp{f) is equal to a nonzero sequence be- 
longing to Lp{fk) and none nonzero sequence w G Lp{fk) can be obtained as a 
uniform {I, k)-decimation of u using more than one value of I G {0, . . . , M — 1}. 

Proof. When applying the uniform decimation with parameters I > 0 and fc > 0 
to sequences in Lp{f) we can assume that I < M since all these sequences have 
the multiple period M. Moreover, if we fix some arbitrary value of 0 < I < M 
then for any I > 0, the uniform (I, /c)-decimation of any nonzero sequence from 
Lp{f) is equal to the uniform (I, fc)-decimation of some other nonzero sequence 
from Lp{f). Thus, for any fixed value of Z, 0 < Z < M, the set containing 
uniform (Z, fc)-decimation sequences of any nonzero sequence u G Lp{f), when 
fc > 0 is fixed and Z takes all possible nonnegative values, is equal to the set 
containing uniform (Z, Zc)-decimation sequences of some M-cardinal subset of 
nonzero sequences in Lp(f). Now since m = m{k), the statement easily follows 
from Item (a) of Theorem I. □ 

Corollary 2. If the degree m of polynomial f{x) is a prime number then m{k) = 
m if and only ifk is not a multiple of gcd{Mq-i) ■ Moreover, if ^cd(M q-i) t ^ then 
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every uniform {I, k) -decimation sequence of any nonzero sequence u G Lp{f) is 
equal to a nonzero sequence belonging to Lp{fk) and none nonzero sequence 
w G Lp{fk) can he obtained as a uniform {I, k)- decimation of u using more than 
one value 0 / / G {0, . . . , M — 1}. 



Proof. Since m{k) \ m and m is prime, only two alternatives are possible: either 
m{k) = TO or TO-(fc) = 1, in which case = a*. So, m{k) = 1 if and only if 



M divides k{q— 1), i.e. 
as in Corollary 1. 



M 

gcd(M,g— 1) 



k. The rest of the proof goes the same way 

□ 



Corollary 3. If f{x) is a primitive polynomial and k < then degfk{x) = 
TO. Moreover, under these conditions, every uniform {I, k)- decimation sequence 
of any nonzero sequence u G Lp{f) is equal to a nonzero sequence belonging to 
Lp{fk) and every nonzero sequence w G Lp{fk) can he obtained as a uniform 
{I, k)- decimation of u using a unique value of I G {0,...,A — 1}. 

Proof. By virtue of Theorem 1, Item (a), all uniform (I, /c)-decimation sequences 
of u belong to Lp{fk) and we have to prove that m{k) = to. 

By definition, orda^ = | — 1) and m{k) \ to, as was noted 

before. Hence, if m{k) < to then m{k) < ^ and therefore — 1, 

i.e. gcd(fc, A) > In particular, k > that contradicts the condition 

imposed. 

Therefore, m{k) = m and by Theorem 1, Item (b), the zero sequence can 
be obtained as a uniform {I, /c)-decimation of u using exactly — 1 = 0 

different values of ^ G {0, . . . , A — 1}. So, all uniform {I, fc)-decimation sequences 
of u are nonzero. Every nonzero linear recurring sequence w G Lp(fk) can be 
obtained as a uniform {I, fc)-decimation of u using exactly = l value of 

? G {0,...,A- 1}. □ 

Further in this section, we continue to use the terminology and notations 
introduced in Sect. 1. As a generalization of Definition 1 of a uniform decimation, 
we can consider the output sequence u, obtained from (1) as a nonuniform 
decimation of b according to the control sequence a as follows: 

u{i + jtt) = b{a{i) + jS) for 0 < i < tt, j > 0 , (2) 

where S = cr(i) = Hence, any uniform (i, 7r)-decimation 

of M is a uniform (cr(i), S')-decimation of b. By Theorem 1, Item (a), the latter 
decimation belongs to Lp{fs{x)). The output sequence u consists of tt such 
sequences interleaved and belongs to Lp{fs{x'^)). 

Since the period of the sequence b divides the order M of f{x), we conclude 
that all elements of a can be reduced modulo M without any effect on the 
output sequence u. So, from now on we assume without loss of generality that 
all elements of a are nonnegative integers less than M. 

It is obvious that the minimum of the degrees of irreducible factors of fs{xP) 
provides a lower bound for the linear complexity of the output sequence u and 
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the lowest possible order of any irreducible factor of fs{x'^) gives a lower bound 
for the period of u. 

Since ord fs{x) = ord o'® = and u consists of tt interleaved sequences 

belonging to Lp{fs{x)), then from (2) it easily follows that the period of u 
divides From [4, Lemma 1] it follows that if u is nonzero then its 

period is a multiple of ^here tt' is the product of all prime factors of 

TT, not necessarily distinct, which are also factors of This provides the 

lower bound for the period. In particular, if every prime factor of tt also divides 
gcd(g M) ^Fen the period of u reaches the maximal value g^di^M) ■ 
that zero output sequences can be generated even if the initial state of the GR 
is nonzero and f{x) is primitive. 

By Note 1, if S is relatively prime to M then fs{x) is irreducible of degree 
m and order M. For P = GF(2) and such an fs{x), Theorem 2 in [5] provides 
an exact lower bound for the degree of any irreducible factor of fs(x'^). From 
this theorem it easily follows that if f{x) is primitive, if gcd(S', A) = 1, and if 
every prime factor of tt also divides A then fs{x^) is irreducible. In this case the 
linear complexity of u reaches its maximal possible value nm (this is equal to 
the degree of fs{x'^))- 

In many cases the period of sequence u can be determined more precisely. 
The following theorem extends [6, Theorem 4]. Recently, in [4, Theorem 2] Golic 
generalized this result for an arbitrary GR having an LFSR structure. 



Theorem 2. The output sequence u is periodic. If for I € {0, . . . , M — 1} the 
uniform {I, S)- decimation sequences of b are all distinct then the period of u is 
equal to 



S) 



ttM 

gcd{S,M) ■ 



Let assume that & is a nonzero sequence. Then, by Theorem 1, Item (a), all 
the uniform {I, S')-decimation sequences of 6 for I G {0, . . . , M — 1} are distinct 
if m{k) = m (see [4, Proposition 2], where a similar fact was proved for an 
arbitrary GR having LFSR structure). 



Proposition 1. Let f{x) he a primitive polynomial of degree m, so it has the 
maximal possible order A = — 1. Then all uniform {I, S)-decimation sequences 

of b are distinct for I € {0, . . . , A — 1} if and only if for any I G {0, . . . , A — 1} 
the uniform {I, gcd{S,\)) -decimation ofb is nonzero. 



Proof. Let us first consider the congruence xS = ygcd{S, A) (mod A) where x > 
0 and y > 0. It is evident that for any fixed value ofa: = 0,l,2,... this congruence 
is solvable with respect to y and for any fixed value of y = 0, 1, 2, ... it is solvable 
with respect to x. Thus, for any Z > 0 a uniform {I, S')-decimation of b contains 
exactly the same elements as a uniform (/, gcd(5, A))-decimation. 

Suppose now that for some k,t G {0, . . . , A — 1} with k ^ t, the uniform 
(k,S) and (t, S') -decimation sequences of b are equal. By Theorem 1, Item (b), 
they can be equal if and only if > 2 and this is so if and only if for 
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some I € {0, . . . , A — 1} the uniform (/, S')-decimation of b is zero. But then the 
uniform {I, gcd(S', A))-decimation is zero too. □ 

The following corollary easily follows from corollaries 2 and 3, Proposition 1 
and Theorem 2. 

Corollary 4. Let b he a nonzero sequence and suppose that one of the following 
two conditions holds 

(a) degree m of f{x) is prime and S is not a multiple of ? 

(b) f{x) is a primitive polynomial (so, of order A = q"^ — 1) and gcd(5', A) < 

qm/2^ 

Then the period of u is equal to t{tt,M,S) = 

Note that if f{x) is primitive then one has M = A = — 1. If conditions 

of Theorem 2, Proposition 1 and Corollary 4 do not hold then the period of the 
decimated sequence may be equal to or smaller than If S is relatively 

prime to M, it follows from Corollary 1 and Theorem 2 that the period of u 
reaches the maximal value ttM (this is Theorem 4 in [6]). 

3 Generalized Geffe Generator 

Combining linear feedback shift registers with a memoryless nonlinear function 
T’ is a well-known way to increase the period and the linear complexity of the key- 
stream, as well as to reduce the correlation between the key-stream sequence and 
the LFSR sequences that are used as input of F, see [7] . The key-stream generator 
discussed in this section is a memoryless combiner based on a specific combining 
function that implements a nonuniform decimation of input sequences. The key- 
stream sequence is obtained by irregularly interleaving the decimated sequences. 
Both decimation and interleaving operations are controlled by the same sequence 
being one of combining function inputs. This construction can be seen as a 
generalization of the Geffe generator from [1] . 

First, we need to define and fix an ordering in the finite field P = GF(g) 
by numbering the elements from 0 to g — 1, thus P = |po) ■ • ■ iPq-i}- Let the 
combining function F from P^+i P be defined by F{pj,xo, . . . ,Xq-i) = Xj 
for j = 0, . . . ,q—l. Thus, the first argument of F selects which of the remaining 
q arguments is taken as an output of the function. Let assume that a periodic 
sequence a = {oi}i>o in P (we will also call it the control sequence of F) with 
the period tt and linear complexity L is fed to the first argument of F and 
that q periodic sequences V = {bl}i>o (j = 0, ■ • ■ ) <7 — 1) in P with periods A^ 
and linear complexity Lj respectively are fed to the remaining q arguments. Let 
u = {ui}i>o denote the output sequence generated by the function F (see Fig. 2). 
The period and linear complexity of u are estimated further in this section. 

Before we can continue, we need some preliminary lemmas. The first one is 
a special case of a fundamental result on the period of nonuniformly decimated 
sequences, as established in [8, Theorem 3]. 
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Fig. 2. Generalized Geffe generator 



Lemma 1. Let c = {ci}i>o he a periodic sequence with the period T and let 
sequence c' = {c'}i>o be a uniform d-decimation of c for some integer d > 0. 
Then c' is periodic and if T' denotes its period then 



gcd(T,d) 

(h) If gcd{T,d) = 1 then T' = T. 



Let K denote the least common multiple of the periods of the sequences 
IP (j = 0, 1), so K = lcm(Ao, - . . , Aq_i) and let d denote gcd(7r,iC). 

It is obvious that K is equal to the period of the sequence of q-grams B = 

Lemma 2. Suppose that sequence a contains all elements of P and that the q- 
gram sequence B with the period K contains a q-tuple that is equal to P in the 
sense of set equality. Suppose moreouer that gcd(7r, iC) = 1. Then r = ttK. 



Proof. Under the hypothesis of the lemma, we can list a set of integers tj > 
0 (j = O)---?? ~ 1) such that at^ = Pj. Let us consider q uniform (tj,7r)- 
decimation sequences of the output u by taking j = 0, . . . ,q — 1. Since tt is 
the period of the control sequence a, the (tj, 7r)-decimation of u is equal to the 
(tj, 7r)-dedmation of IP . But hypothesis of the lemma claims that gcd(7r,iC) = 1 
whence it follows that gcd(7r, Xj) = 1 for j = 0,...,q — 1. Hence by Lemma 1, 
Item (b), the period of the , 7r)-decimation of V is Xj for j = 0, . . . ,q — 1. 
But since these decimation sequences are decimation sequences of u as well, by 
Lemma 1, Item (a), Aj | r for j = 0, . . . , q — I and thus K \ r. 

Under the hypothesis of the lemma, there exists an integer t > 0 such that the 
q-tuple (5°, . . . , b1~^) can be obtained by permutating the elements in (po, • • ■ > 
Pq-i). Let us now consider the uniform (t, KT)-decimation of the output sequence 
u. Since K is the period of the q-gram sequence B, this decimation is equal to the 
(t, iC)-decimation of a which elements are substituted afterwards according to the 
rule defined by the permutation transforming (po, • ■ • ,Pq-i) into (6° , . . . , bl~^). 
A one-to-one mapping applied to the elements of a sequence does not affect its 
period. Since gcd(7r, AT) = 1, by Lemma 1, Item (b), the period of the {t,K)~ 
decimation of a is tt. But since this decimation is a decimation of u as well, by 
Lemma 1, Item (a), tt | r. 
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Now since K \ t, tt \ t and gcd(7r, K) = 1 we can conclude that ttAT | t. On 
the other hand, it is obvious that r | ttK and thus t = ttK. □ 



Theorem 3. The sequence u is periodic. Let r denote the period of u. Then r | 
lcm(7T, K). Moreover, if sequence a is such that each of its uniform d-decimation 
sequences contains all the elements of P and the q-gram sequence B is such that 
all its uniform d-decimation sequences contain a q-tuple that is equal to P in the 
sense of set equality then 

ttK I 



gcd(7T, Ky 



T . 



Proof. It is obvious that in every lcm(7r,Ar) = lcm(7r, Aq, . • . , Ag_i) steps all 
input sequences complete their full cycle. Since function F is memoryless, the 
output sequence u completes a full cycle as well in lcm(7r, K) steps. Thus u is 
periodic and r | lcm(7r,AT). 

Let us consider the g-gram sequence B. Since all sequences Id (j = 0, ... , q—1) 
are periodic with the period equal to Xj respectively, it is obvious that the g-gram 
sequence B is periodic as well with the period equal to lcm(Ao, . . . , Ag_i) = K. 

Now we fix an arbitrary t G {0, ...,d— 1} and consider uniform (t,d)~ 
decimation sequences of a, u and B. Let tt^, r* and Kt denote the respective 
periods of these decimation sequences. Then, by Lemma 1, Item (a). 






7T 

gcd(7T, d) 



TT 

d ’ 



Tt I r and Kt 



K 

gcd{K, d) 



K 

~d 



( 3 ) 



Since gcd(^, = 1, it follows that gcd(7Tt, ATj) = 1. 

Let us now consider the memoryless combiner described above when uni- 
form (t, (f)-decimation sequences of the respective original sequences are fed into 
the arguments of F. Thus, the control sequence of F has period Tt and the q- 
gram sequence, feeding the rest of the arguments of F, has period Kt satisfying 
gcd{TTt,Kt) = 1. We note that the output sequence of F has period r* since it 
is a uniform (t, d)-decimation of sequence u. So, the conditions of Lemma 2 are 
met and thus it follows that 

n = TTtKt , ( 4 ) 

for alH G {0, . . . , d — 1}. 

By (3), TTt divides ^ for t = 0, . . . , d — 1 and therefore lcm(7To, . . . , TTd-i) \ y • 
Sequence a can be reconstructed by interleaving d sequences obtained by {t, d)- 
decimating of a for t = 0, . . . , d — 1 and thus d • lcm(7To, . . . , Td-i) is a multiple 
period of a, that is tt | dlcm(7To, . . . , Td-i). Hence lcm(7To, . . . , TTd-i) = ^- In the 
same way it is easy to show that lcm(iGo) • ■ • > Kd-i) = 

From (3) it also follows that gcd(7Ti, Kj) = 1 (i, j = 0, . . . , d — 1). Thus 



(4) 

lcm(ro, . . . ,Td_i) = lcm(7roiLo. ■ • ■ ,7J'd_iATd-i) = 

= lcm(lcm(7To,A:o),---,lcm(7rd_i,A:d_i)) = 

= \cu\{tto, . . . ,TTd-i, Ko, . . . , Kd-i) = 
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= lcm(lcm(7To, . . . ,7rd_i),lcm(iCo, ■ • .,Kd-i)) = 

ttK 

= lcm(7To, . . . ,7Td_i) ■lcm{Ko,...,Kd-l) = -yy- ■ 

Also by (3), Tt divides r for i = 0, . . . , d — 1 and therefore lcm(ro, . . . , Td-i) = 
^ |r. □ 

The following lemma, that easily follows from [2, Proposition], will be needed 
to estimate the linear complexity of u. 

Lemma 3. Let c = {ci}i>o be a periodic sequence having linear complexity L 
and let d = {c'}i>o he a uniform d-decimation of c for some integer d > 0. 
Then there exists a polynomial f(d)i') annihilating d as well as all d-decimation 
sequences of c, where the degree of f(^d){') 'not greater than L. 

Proposition 2. Let L denote the linear complexity of an output sequence u. 
Then L < tt{Lq-\- . . .-\-Lq_i). Lfq = 2, the sequences and are nonzero, and 
the respective periods tt, Aq, and Ai are pairwise coprime then L >{L— l)(Lo + 

Li-2). 

Proof. To prove the claimed upper bound on the linear complexity of the se- 
quence u it is sufficient to present a polynomial P(-) of degree not greater than 
7 t(Lo -|- . . . + Lq-i), for which P{u) = 0 (i.e. P is an annihilating polynomial of 
u). Let us consider an arbitrary uniform rr-decimation of u. Since tt is the period 
of the control sequence a, this decimation is equal to the ftj , 7r)-decimation of 
Id for some j G {0, . . . , g — 1} and tj G {0, . . . , Aj — 1}. Then, by Lemma 3, 
there exists a polynomial Qj{-) of degree not greater than Lj annihilating this 
decimation as well as all the other 7r-decimation sequences of Id . The polynomial 
Qj{-) also annihilates the uniform 7r-decimation of u that we consider. 

Now let Q{-) be the least common multiple of polynomials Qo(’)) ■ • ■ ) Qq-i{') 
where Qj{-) is the polynomial annihilating any 7r-decimation of Id. Then (5(-) 
annihilates any 7r-decimation of u and thus polynomial P(-) = Q{x'^) of degree 
not greater than tt{Lq Lg-i) annihilates u. Thus the linear complexity of 

u is at most 7 t(Lo + • • • + Lg-i)- 

The second part of the proposition follows from [9, Theorem 6] since the 
algebraic normal form of the combining function for g = 2 is F(a, xq,xi) = 
a(xo0a;i)0a;o. Condition q = 2 is required since only then the algebraic normal 
form of F is free from powers. □ 

It remains an open problem how to estimate a nontrivial lower bound for the 
linear complexity of the output sequence u when q > 2. 

If we assume that input sequences of the combining function F are sequences 
of uniform, independent and identically distributed random variables (i.e. purely 
random sequences) then its output sequence is purely random as well since the 
combining function of the generator is balanced. Thus the balance quality of the 
combining function ensures good statistical properties of the key-stream. 

Sequences produced by linear feedback shift registers (clocked regularly or 
irregularly) could be used as inputs for function F in practical implementations 
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of the key-stream generator described above. Let us note that the combining 
function F of the generator is memoryless, balanced and zero-order correlation 
immune (its output is correlated to inputs Xq, • . • , Xg_i and this correlation de- 
creases if q is increased) . Thus when all shift registers are clocked regularly, it is 
possible to apply the basic or fast correlation attack in order to reconstruct the 
initial state of shift registers that produce sequences {j = 0, . . . ,q— 1). There- 
fore it is reasonable to use large q and/or clock-controlled LFSR’s to generate 
sequences V {j = 0, . . . ,q — 1). We note that knowing the periods of the control 
and the generating registers, one can easily verify the condition of coprimality 
in Proposition 2. Memoryless combiners of clock-controlled LFSR’s can also be 
susceptible to certain types of correlation attacks. But the essential benefit of 
these combiners consists in their immunity against fast correlation attacks. 

For practical implementation of the suggested generator it may be reasonable 
to select <7 as a power of 2, and to generate binary sequences a and IP (j = 
0, . . . ,<7 — 1), to feed them as input to the {q + l)-input combining function 
F. The control sequence is split into log 2 g-long tuples that are used to index 
sequences V {j = 0, ... ,q — 1). Following the first half of the proof of Lemma 2, 
it can be readily shown that if the control sequence splits into log 2 g-tuples 
consisting of all q possible values and if gcd(7r, K) = 1 then K \ t. 
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Abstract. Linear Feedback Shift Registers (LFSRs) are used as pseu- 
dorandom keystream generators in cryptographic schemes. Hardware im- 
plementation of LFSRs are simple and fast but their software implemen- 
tation is not quite efficient. Here we present a fast software implemen- 
tation strategy for the LFSRs. The output will be available as a block 
of bits after each operation. We discuss theoretical issues for such block 
oriented implementation and present necessary algorithms. We clearly 
identify the constraints in the choice of connection polynomials for block 
oriented implementation. Actual implementation results have been pre- 
sented in support of our claims. The results emphasise the usability of 
LFSRs in software based stream cipher systems. 

Keywords: Block Oriented LFSR, Connection Polynomials, Stream Ci- 
pher. 



1 Introduction 

In this paper we deal with the issues related to fast software implementation 
of Linear Feedback Shift Registers. We here introduce the concept of block ori- 
ented LFSR. The LFSR of length n is divided into y blocks of b bits each. We 
present an equivalent linear recurrence relation between these y blocks for the 
software implementation. After each operation, the output of the LFSR is one 
block of b bits. In the next section we discuss some preliminary concepts of LF- 
SRs. Section 3 deals with the issues of software implementation techniques for 
block LFSRs and provides a concrete design strategy. The performance analysis 
of this implementation is discussed in Section 4. Note that there are some con- 
straints regarding the choice of connection polynomials in the strategy proposed 
in Section 3. We partially solve this problem in Section 5. 

2 Preliminaries 

An LFSR consists of a set of registers each of which can take the value 0 or 1. 
The connection pattern of an LFSR can be indicated by a polynomial over GF(2) 
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and this polynomial is called the connection polynomial. We consider a degree 
n polynomial over GF(2) as a;" 0 aiX^, where Ui € {0, 1}. Note that 0 is 

addition modulo 2 and 0 indicates ordinary integer addition. By weight of this 
polynomial we mean the number of nonzero terms, i.e., 1 0 #{0 = !}• Next we 
consider an LFSR of length n (i.e., n number of registers) corresponding to this n 
degree polynomial. We denote the bit positions of the LFSR by zq, z\, . . . , Zn-i- 
By Vi we mean the value at the bit position Zi, i = 0, . . . ,n — 1. For the LFSR 
in Figure 1, n = 6 , and bit positions are Zq, z\, . . . , Z 5 . The Least Significant Bit 
(LSB) starts from the extreme right side (in Figure 1, Zq). The leftmost bit is the 
Most Significant Bit (MSB). We denote the locations of the t taps (i.e., where 
0 = 1) in the LFSR by po,Pi, ■ ■ ■ ,Pt-i, where po < pi < ... < pt-i, i.e., po 
is closest to the LSB while pt-i is closest to the MSB. In Figure 1, t = 4 and 
Po = 0,pi = 2 ,P 2 = 3 ,P 3 = 5. 

An output bit is obtained from the LFSR by the following mechanism. A new 
bit Vn is obtained by XORing the bit values of the positions corresponding to 
the taps pj i.e., Vn = The LSB comes out as the output bit and each 

of the remaining bits undergoes one right shift. Thereafter, the vacant MSB is 
filled up by the new bit Vn, already generated. In hardware, this entire operation 
is completed by one clock. 

For an LFSR with t number of taps, the connection polynomial actually 
contains (t 0 1 ) number of terms, t places where Oj = 1 and the term cc". 
The polynomial x" 0 yields a recurrence relation of form Vk+n = 

®T= 0 I'k+pjj for k >0. By Vf^+i we denote the value of the bit 0 after k clocks. 
In Figure 1, recurrence relation is Vk+e = 0 Vk +3 0 r'fc +2 0 Vk- For more 

details about LFSRs see [2,1,5] and the references in these documents. 

The LFSR outputs a single bit in each clock. Hardware implementation of 
such a structure is simple and fast. The main problem is an efficient software 
implementation of such a system. In [3] a method for simulation of an LFSR 
has been described using binary matrix. It is clear that we can represent the 
state of an LFSR (of length n) by an n x 1 binary column vector x. If xq is 
the initial state and x^ is the state after i clocks, x^ can be derived from xq by 
the operation x^ = A*xq, where A is an n x n binary matrix, called the state 




Fig. 1. Bit operation of an LFSR. 
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transition matrix (see [3] for details). Thus, we can write x„fe = A^yin{k-i), for 
fc > 1. But the process involves matrix multiplication over GF(2), and required 
number of steps is of 0{v?) for n output bits, i.e., 0{n) for a single bit. 

An algorithm for fast software implementation has been described in [4] by 
packing the LFSR into integers of size 32 bits. However, a closer look at the 
algorithm in [4] reveals that the number of logical operations needed to generate 
a single bit is at least 9, which makes it inefficient. 

3 Block Oriented Implementation of LFSRs 

Here we consider an LFSR as an aggregate of blocks of fixed size. By the term 
block we mean a number of contiguous bits. As the constituent elements of the 
LFSR are now blocks, the output will be one block instead of a single bit. Our 
main objective will be to find out an efficient algorithm which outputs one block 
after each operation. First we fix a few parameters to explain the algorithm for 
block operation. 

1 . The LFSR of size n corresponds to the connection polynomial of degree n. 

2. We consider that the LFSR consists of y blocks, each of size b. So, n = yb. 
As example, we can consider a 32 bit LFSR with block size 8, i.e., n = 32 
and 6 = 8, so, y = 4 (see Figure 2). 

3. These y number of blocks are denoted by Iq, Fi, . . . , Fy_i. Here, Yq is the 

right most (least significant) block. Bits in any block are denoted by 
Yifi, Yi^i, . . . , (from LSB to MSB). The bit position zi, I = 0, . . . ,n—l, 

for an LFSR can be related with corresponding bit position in blocks by Yij, 
where block position i = l/b (the quotient) and relative position in block Yi 





Fig. 2. Block-oriented LFSR. 
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is j = l%b (the remainder). In any block Yi, the rigthmost bit position Yi^ 
is termed as the boundary position. 

4. Initial state of a block Yi (i.e., set of values for all the b bits in this block) is 

denoted by li. In terms of bits, Y^^ = Yi^i = . . . , 

h,j G {Ojl}- The state of a block changes after completion of one block 
operation. After obtaining k number of output blocks (i.e., at the end of k 
block operations), we denote value of Yi by Ik+i- In Figure 2, initial state of 
the LFSR is Yq = Iq,Yi = Ii,Y2 = hjY^ = I3 and after one block operation, 
Yo = h,Yi=h,Y 2 = l3,Y3 = h. 

5. The position of any tap pj {j = 0, ... ,t—l) is mapped to bit position Yq^ , 
where qj = Pj/b and rj = pj%b. In Figure 2, there are two taps Pq = 8 and 
Pi = II, correspondingly go = Ij 9i = 1 and tq = 0, ri = 3. 

The motivation behind defining the block operation is to find out a fast 
method of computation to get ly out of /q, Ii, . . . , ly-i and thereby to arrive at 
a recurrence relation for Ik+y in terms of /fc+o, Ik+i,Ik+2, • ■ • , Ik+y-i- 

Example 1. We consider n = 32, & = 8, j/ = 4, i.e., each block is of one byte. Let 
the connection polynomial be 0 . Here, the tap po = H is in bit position 

Li ,3 as go = 1 and tq = 3. After one block operation, the state of the LFSR 
is To = Ii, . . . , T3 = J4. The new block is to be expressed as a combination 
of the block states Io,Ii,l2,h- The 8 successive new bits generated from the 
LFSR constitutes 14. These 8 new bits di,3, /i,4, di,5, di,6) -^1,7 and h.O: hp, l2,2 
are the 8 successive values of tap position Ti_3. We can rewrite the block 14 
as h = (/2,2,-f2,i,d2,o,0,0,0, 0,0) © (0, 0,0,/i,7,/y6,/i.5,^i.4,di.3)- Simplifying, 
I4 = (^2 << 5) © (Ii >> 3). Thus, the byte oriented recurrence relation will be 
Ik+4 = {Ik+2 « 5) © (Jfc+i >> 3), for A: > 0. 

Now we generalise the expression. For a single tap po, the new block generated 
from one block operation actually consists of b successive new bits generated from 
the LFSR, i.e., b successive values of bit position Yq^^rg- Thus the new block 
consists of b contiguous bits, starting from position Yq^^rgi towards left. This is 
the basic principle behind generation of a new block for a tap by one complete 
block operation. Evidently these b number of bits are the left most {b— rg) bits 
from the block Yq^ and the right most rg bits of the adjacent left block Yq^+i. 
So, ly = (^Iqqjj-ip—rQ — 1, • ■ • , Iqg + ip, 0, . . . , 0) © (0, . . . , 0, 1) • ■ • ) IqoXo)' ThuS 

the recurrence relation for a block operation is 

Ik+v = {Ik+qo+i « {b - ro)) © (4+90 » ^o), for A: > 0. (3a) 

In total we need three logical operations for getting a new block corresponding 
to a single tap. It is important to note that rg bits of its adjacent left block are 
also required for construction of the resultant block. When gg = p — 1 and 
rg > 0, to generate the new block ly we require the rg bits of block ly which 
is actually the new block to be obtained from the LFSR. Hence it will not hold 
when the position of the tap po > n — b, i.e., beyond the boundary position 
T(j,_i) g. Considering this restriction, for now, our discussion for defining block 
operation is kept confined to tap positions < n — b. We will tackle this partially 
in Section 5. 
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Next we investigate the case for t > 1 number of taps. Considering the bit 
operation (see Section 2) of block LFSRs, the first new bit generated is ®\Z,oIqi,ri- 
Thus for the initial state Iq, ■ ■ ■ , ly-i of the block oriented LFSR, the resultant 
block ly generated for t taps can be obtained by XORing all the new blocks 
generated from each tap considering them individually. So ly = ly', where 

IP' denotes the new block generated by the tap pi had it been the only tap of the 
LFSR for the given state. 

Example 2. Consider the connection polynomial 0 x^^ 0 x^^. Here both the 
taps are in block Yi and po = 11, pi = 15. Hence, qo = qi = 1 and rg = 3 and 
ri = 7. So, new block h = ® I^\ where /f” = (/ 2 , 2 , ^ 2 , 1 , / 2 . 0 , ^ 1 , 7 , ■ ■ ■ , / 1 . 3 ) 

and = (/ 2 , 5 , ■ ■ • , 72.0; 7i_7, /i.e)- Thus, and are the two new blocks gen- 
erated by the block operation, considering each of the taps po and pi separately 
for LFSR state /g, . . . , /s. 

Without loss of generality, we can extend the relation for any given state of 
the LFSR, I^+y-i, ■ ■ ■ , Ik, where k > 0. Thus the recurrence relation for the 
resultant new block Ik+y for t taps is Ik+y = 0*=g Ik+y for /c > 0. (36) 

Using Equation (3a), Ilfy = (/fe+q,+i << (6 - r*)) 0 {h+qi » rf). Com- 
bining Equations (3a) and (36), with the restriction for tap positions 0 < pg < 
pi, . . . < pt-i < n — b, the recurrence relation for block operation is presented 
by the following lemma. 

Lemma 1. Consider a polynomial x” 0 0”^g^ aix' over GF(2), where n = yb, 
6 is the block size and y is the number of blocks. Let there be t = ff{oi = 1} taps 
at the positions pg,pi, . . . ,Pt-i, such that 0 < Po < Pi <■■■ < Pt-i < n — b. 
Consider Pi = bqi +ri, where 0 < < 6 — 1. Then the block oriented recurrence 

relation for this LFSR is 

Ik+y = ®lZliih+qi+i « 6 - n) 0 (4+5, >> r,)), for fc > 0. 

Now we consider a special case of the above lemma with each tap pi at the bound- 
ary position, i.e., ri = 0. This, using Lemma 1, gives Ik+y = 0i=g((7fe+5,+i << 
6) 0 {h+qi » 0)), i.e., h+y = 0-Ig Ik+qi for A: > 0. (3c) 

Thus, we can generate the new block for a boundary tap without any bit 
shifting operation. Equation (3c) indicates that for the taps at boundary loca- 
tion, the generation of new block requires a single logical operation. This can 
be successfully exploited for more efficient software implementation. Let us now 
present the corollary as follows. 

Corollary 1. Consider a polynomial a;”00”4)^ a^a:* over CF(2), where n = yb, 
6 is the block size and y is the number of blocks. Let there be t = ff{oi = 1} taps 
at the positions pg,pi, . . . ,Pt-i, such that 0 < Po < Pi <■■■ < Pt-i < n — b. 
Consider Pi = bqi, for all i. Then the block oriented recurrence relation for this 
LFSR is h+y = 0-Ig h+qi for k>0. 

Combining Lemma 1 and Corollary 1, we get the following theorem defining the 
block oriented recurrence relation with certain restrictions. 
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Theorem 1. Consider a polynomial GF(2), where n = yb, 

b is the block size and y is the number of blocks. Let there be t = #{oj = 1} 

taps {t = ti + t 2 ), such that the taps 0 < po < pi < ... < Pt^-i < n — b 
are at boundary locations with = 0 for 0 < i < ti — 1 and the remaining t 2 
taps, 0 < ptj < pti+i < ... < pt-i < n — b are not in boundary locations, i.e.. 

Pi = bqi + ri, where Q < ri < b — 1, t\ < i < t — 1. Then the block oriented 

recurrence relation for this LFSR is 

Ik+y = ®i—Q Ik+qi ® + l {b — ri)) (B {Ik+qt fi)), fork>Q. 

Next we present a simple C like algorithm for the implementation of this theorem. 
Implementation blockLFSROutput 

for (z = 0; i < t; t + +) { q[i] = p[i]/b-, r[i] = p[i]%b-, } 

fc = 0; 

while output is required { 

I[k + y] = 0; 

for (z = 0; z < ti; z + +) I[k + y] = I[k + y] © I[k + y[z]]; 
for (z = ti; z < t; z + +) 

I[k + y] = I[k + y] © {{I[k + q[i] + 1] << b - r[i]) © {I[k + g[z]] >> r[z])); 
Output I[k]] k = k + 1] 

} 

The space overhead for storing the array I can be easily avoided by allocating 
this array dynamically for certain number of output blocks at a time. After 
generation of a good number of blocks the array can be released, retaining only 
the last y blocks which may be required to generate further blocks. It should 
be noted that it is always preferable to implement an LFSR using array, since 
the use of linked list or other standard data structure requires higher number of 
operations for accessing each element. According to the above implementation, 
we require one logical operation for each boundary tap and four logical operations 
for each non boundary taps. Thus we have the following result. 

Theorem 2. Consider a block oriented LFSR as in Theorem 1 with t\ boundary 
and t 2 nonboundary taps. Then the software implementation blockLFSROut- 
put will require logical operation on average to generate each output bit. 

4 Implementation Results 

To get the maximum linear complexity, the connection polynomials of LFSRs 
are generally taken as primitive over GF(2). We execute the following steps to 
generate the connection polynomials. 

1. Choose a polynomial x” © a^x^^ over GF(2), where aw € {0, 1} and 

ff{ciib = 1} = ti- Let us denote these tap positions as pi, . . . 

2. Apart from these positions pi, . . . ,pti-i, randomly choose t 2 other positions 
from 1 to rz — 6 — 1 such that t = ti + 12 + 1 is odd (weight of primitive poly- 
nomials are always odd). Let us denote these tap positions as ptj, . . . ,pt-i. 

3. Check whether the polynomial x” © x^' is primitive. If it is primitive, 

then report it and terminate. Else go to step 2. 




Efficient Software Implementation of Linear Feedback Shift Registers 303 



Table 1. Results for 32 degree primitive polynomials. 



i 


Connection polynomial 


a 


6 


pi(x) © © X 


1.50 


8 


Pi (x) © a; '^ © X® © © a; 


2.50 


10 


Pi (x) © a;® © a;® © a;"^ © a;® © a;^ © a; 


3.50 


12 


Pi (x) © a;^® © a; '^ © a;® © a;® © a;"^ © a;® © a;^ © a; 


4.50 


14 


Tl-I ('ey.') fiiCl cy.1^ /TN /y« ^ ^ (Tli (Tli (Tli (Tli (Tli ^ ^2 ^ 

jjl yx j ^ X tpo/ tpo/ tpx 


5.50 



Next we provide some concrete examples with respect to 32 degree polyno- 
mials. We consider byte oriented LFSRs, i.e., b = 8. Let pi{x) = 0 0 

0 X® 0 1, which means we choose all the 4 boundary taps. Then we execute 
the above three steps to get primitive polynomials. In Table 1 below, we pro- 
vide the average logical operations per output bit cr(= , see Theorem 2) 

for different number of non boundary taps. Note that we will get better results 
(low values of cr) when the block size is larger. To demonstrate this, we consider 
128 bit LFSRs with different block sizes 6 = 8, 16 and 32 and LFSRs with total 
number of taps t = 24, 32, 48, 64. Theorem 2 clearly shows that for same number 
of taps, average number of operations are much less for greater block size, which 
is also reffected in Table 3. 

Table 2 and 3 indicate that it is not encouraging to use small block size (e.g., 
8, 16) for a large LFSR (e.g., 128). Consider a primitive polynomial of degree 128 
having weight 25 {t = 24). Table 2 shows that for block size 32 such a system 
needs less than 3 logical operations to generate 1 bit, which is encouraging. 
Moreover, for n = 128 and b = 32, we can consider a primitive polynomial with 
weight 11 (t = 10, t\ = 2, ^2 = 8), which will take only = 1.063 « 1 logical 

operation on an average to produce 1 output bit. This is clearly competitive with 
the hardware implementation of LFSRs where one bit is generated in each clock. 
Actual bit generation rates obtained by software implementation of the above 
algorithm has been furnished in Table 3. We get these results using a personal 
computer having Pentium III 500 MHz microprocessor with 128 MB RAM on 
Windows NT (version 4.0)/ Windows 95 platform and Microsoft Visual C 00 
(version 6) compiler. The speed is measured in Mega bits per second (Mbps). 
Much better speed is expected if assembly language programming is used on a 



Table 2. a for different cases (n = 128). 



Table 3. Bit generation speed. 
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16 


8 


128 


32 


42.40 


10 


2 


8 


128 


32 


116.20 
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32 
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32 
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12 


4 
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II 
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t2 
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ti 


t2 


a 


ti 


t2 
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24 


16 


8 


6 


8 


16 


4.5 


4 


20 


2.625 


32 


16 


16 


10 


8 


24 


6.5 


4 


28 


3.625 


48 


16 


32 


18 




40 


10.5 


4 


44 


5.625 


64 


16 


48 


26 


8 


56 


14.5 


4 


60 


7.625 
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dedicated machine where operating system overhead is low. Note that the last 
two rows provide a direct comparison between the speed of our scheme and the 
speed of the algorithm from [4] (the last row). Even for the worst case of our 
algorithm (small block size of 8 bits) the speed is around 9 times faster than the 
existing one [4]. 

The idea of word oriented LFSR for software stream cipher was indicated 
in [6]. The connection polynomial considered by the authors [6] p{x) = x- + 
2,63_|_i) jg ^ primitive one, instead it has a primitive polynomial + + 1 

as its factor. This 128 degree polynomial {x^'^^+x^'^+x) [6] has been implemented 
using 4 blocks of 32 bits each. The recurrence relation has been presented in [6] 
as h+4 = h+2 © {{Ik » 1) © (.^fe+i << 31)), for fc > 0 (average logical 
operation per bit « 0.13). There is no primitive trinomial of degree 128. But 
considering a primitive five-nomial (with t\ = 2,^2 = 2), we get a « 0.31 for 
block size 32 (speed « 116 Mbps, see Table 3). The bit generation speed is also 
very competitive for higher number of taps. So instead of going for word-oriented 
non primitive connection polynomial as in [6], one can easily find out primitive 
polynomials with specific weight and use that for efficient block operation. 

5 Tap at Most Significant Block 

Here we try to remove the constraint regarding taps in most significant block. 
In this direction, we consider a single non boundary tap in the most significant 
block Yy-i i.e., pt-i > n—b. The remaining t—1 taps consists of t\ boundary taps 
Po < Pi < ■ • ■ < Pti-i and t 2 non boundary taps pt-^ < pi < . . . < pt -2 < n — b. 
As usual, the initial state of the LFSR is lo, ■ ■ ■ , ly-i- 

First consider the case without taking into account the tap pt-i- In this 
case we get the recurrence relation (see Theorem 1). Once 

again we like to mention that is the output block contributed by the tap 
Pj after k block operations without considering any other taps. Considering 
all the taps (including pt-i), we will present a recurrence relation of the form 

Ik+y = ^k+y © Jk+y ( 5 ct) 

Here Jk+y is the contribution of the tap Pt-i, which is not the individual 
contribution of the tap pt-i itself. Rather for generation of Jk+y we need to 
consider the contribution from the other taps also. 

We now present an example considering the connection polynomial x^^ © 

© x^^. Here n = 32, & = 8, y = 4. Now p\ = 29, q\ = 3, ri = 5, po = Hj <7o = 
l,ro = 3 and t = 2. Tap pi is in the most significant block Yg. Initial state of 
the LFSR is 1 ^, 12 , Ii,Io- Now, /| = From Equation (5a), after one block 
operation we obtain I 4 = /j^© J4. We find out the composition of J4 considering 
the values of bit positions 13,5 for 8 successive clocks. This is explained in Table 
4. The bits corresponding to tap position ©3^5 is highlighted in the table. Note 
that the bit compositions presented below are those before the corresponding 
clock number. 

Now, the block operation for obtaining J4 is to be defined in terms of 
/3 ,...,/o. Note that J4 = {h, 4 ^ l4,3, h, 2 , h,i, h,o, h, 7 , h,e, 13 , 5 ) which are the 
8 successive values of Using the above table and rearranging the terms 
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Table 4. Bit composition of most significant block. 



Clock 



Bit composition of Y 3 



New bit 



h, 7 , h, 6 , h, 5 , ^ 3 , 4 , h, 3 , h, 2 , h,i, h,o 

h,o, h, 7 , h, 6 , h, 5, 13,4, 13,3,13,2, h,! 

h,!, 14,0, h, 7 , l 3 , 6 ,h, 3 , h, 4 , h, 3 , h ,2 
h, 2 , h,!, h,o , h, 7 , h, 3 , 13,5, h, 4 , h ,3 
h, 3 , h, 2 , h,i, 14,0, h, 7 , 13,6, 13,5, h ,4 
h, 4 , h, 3 , h, 2 , 14,1,14,0, h, 7 , 13,6, h ,5 

14,5, 14,4, 14,3, 14,2,14,1, 14,0, 13,7, 13,6 

14,6, 14,5, 14,4, 14,3,14,2, 14,1, 14,0, Is ,7 



14,0 = ds,5 ( 
^4,1 = 13,6 ( 

14.2 = 13,7 ( 

14.3 = ^4,0 ( 

14.4 = ^4,1 ( 
^4,5 = 14,2 ( 

14.6 = 14,3 ( 

14.7 = ^4,4 ( 



1 7-11 

> 44,0 



> /i,3 = h,3 i 

) di,4 = h,6 ( 

> -^4,5 = h,7 ( 

> /i,6 = I 3.5 i 

> ^4,7 = ^3,6 ( 



’ -^4,0 * 

' il!i < 

I ll^2 I 
' -^4,0 ' 

' il!i < 



/■ii 

44,6 

rll 



J 4 = (/li 4". 0, . . . , 0) © /l.\, ^4.0, 0: 0, 0)© 

{h,6, h,5, h,7, h,6, h,5, h,7, 13,6, h,5)- The last term can be rearranged again as 
ih,6, h,5, 0 , . . . , 0) © (0, 0, Is^7, Isfi, /a, 5, 0, 0, 0) © (0, , 0, 13J, 13^5) 

= {Itnip « 6) © {Itmp « 3) © Itmp where Itmp is {h » 5). Thus we get, 
J4 = {ir « 6) © (ir « 3) © {{Itmp « 6) © {Itmp « 3) © Itmp)- We can 
rewrite it as, J4 = {l\^ « 2 • 3) © {l\^ « 1 • 3) © {{Itmp « 2 • 3) © {Itmp « 
1 • 3) © Itmp)- In this case /| = and we get J4 = << I ■ {b — ri)) © 

« I ■ {b- ri)), where m = - 1 and 6 = 8,ri = 5. Hence, 

/4 = /| © J4 = 0;^o('^4 I ■ {b — Ti)) (B 0;=o('^trnp << I ' {b — ri)). 



Now we present the generalized result in the following theorem. 

Theorem 3. Consider a polynomial a^”©0"=o^ GF(2), where n = yb, 

b is the block size and y is the number of blocks. Let there be t = #{© = 1} taps 
such that t = ti + t 2 + I- Let po < pi < ... < pti-i are at boundary locations, 
and 0 < ptj < Pti+i . . . < Pt -2 < n — b are at non boundary locations. Also 
n — b + 1 < pt-i < n — 1. Then the block oriented recurrence relation for this 
LFSR is Ik+y = ®'^o{{Itmp «l-{b- rt-i)) © {^_^_y «l-{b- rt-i))), where 

Itmp = {Ik+y-1 » C-l), Ik+y ~ 0i=O ^k+y’ ™ “ I" b-rt-i 1 ~ 



We now provide a C like algorithm for implementation of this theorem. 
Implementation lastBlockTap 
m = \b/{b — r[t — 1])] — 1; /c = 0; 
while output is required { 

varl = blockLF S ROutput{); /* This is for I^^y */ 
var2 = I[k + j/ — 1] >> r[t — 1]; /* This is for Itmp */ 

I[k + y] = varl © var2; /* This is for m = 0 */ 
for (j = 1; j < m; j + +) { 

varl = varl << {b — r[t — 1]); 
var2 = var2 « {b — r[t — ij); 

I[k + y] = I[k + y] © varl © var2; 

} 

Output I[k]; k = k + 1; 





306 S. Chowdhury and S. Maitra 



It is evident that for the single tap in the most significant block 4m + 4 
number of logical operations are required. We consider assignment to different 
variables as 1 operation. The value of m will vary from a minimum of 1 (when 
rt-i < 6/2) to a maximum of 6 — 1 (when rt-i = 6—1). In case of non boundary 
tap in the last block, the best case is when m = 1. Even for this case, the number 
of logical operations required is4x 1 + 4 = 8 which is higher than the logical 
operations required for a non boundary tap in any other block. Moreover, it is 
clear that for more than one non boundary taps in the most significan block, 
the number of required logical operations will be much higher in this technique. 
For a block-oriented LFSR with taps t = ti + 12 + I, as in Theorem 3, average 
number of logical operations required for each output bit is cr = 

(see Theorem 2). Table 5 shows variation of cr values for different block sizes (6) 
and different values of m (similar to Table 2) . Note that m = 0 indicates no non 
boundary tap in most significant block and in that case a = 



Table 5. a for different cases (n = 128). Table 6. Bit generation speed. 
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19 
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16 


7 
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8 


15 
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4 


19 


2.875 


24 


3 


16 


7 


7.500 


8 


15 


5.250 


4 


19 


3.000 



It is clear from Table 5 that for smaller block sizes, presence of a single tap in 
the most significant block increases the average number of logical operations a 
considerably. For 6 = 8, 16, it is better to confine rt-\ within 6/2 (i.e., m = 1). 
For block size 32, the value can be increased upto 20 (i.e., m = 3). We provide 
Table 6 similar to Table 3 to show the variation in bit generation speed for 
different positions of non boundary tap (i.e., m) in the most significant block. 

A further work in this direction could be the design of efficient software 
implementation for LFSRs of any length. 
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Abstract. In this paper we will compare two signature schemes pro- 
posed by different sets of authors. One is the XTR-Nyberg-Rueppel sig- 
nature proposed by A.K. Lenstra and E.R. Verheul in [3] and the other 
is the signature scheme proposed by G.H. Tan, X. Yi and C.K. Siew (We 
will call it TYS signature.) in [9]. XTR-NR signature uses the third de- 
gree trace projection Tr : GF(p®) ^ GF(p^) and has been generalized in 
[8] by Lim et. al. as a scheme in GF(/’") using Tr : GF(p®™) ^ GF(p^’"). 
On the other hand, TYS signature is based on a third order LFSR. Tan 
et. al. claimed that TYS signature is as secure as Schnorr signature 
scheme. We will explain why these two schemes are essentially the same. 
In addition, we will point out that TYS signature as it is has some flaws 
in their arguments. We will show that in order to cure the flaws of TYS 
signature, one should bring in exactly the same security and efficiency 
consideration of XTR scheme as in [8] . 

Key words: Trace Projection, XTR, LFSR, digital signature scheme 



1 Introduction 

In [3] A.K. Lenstra and E.R. verheul proposed the public key scheme XTR 
(which stands for Efficient and Compact Subgroup Trace Representation). As a 
computational tool, XTR uses the third degree trace projection Tr : GF(p®) ^ 
GF(p^). They also showed that XTR can be used to materialize Nyberg-Rueppel 
message recovery signature scheme. In [8] it was shown by Lim et. al. that XTR 
can be naturally generalized as a scheme in GF(p®™) using Tr : GF(p®"*) ^ 
GF(p^’”). XTR-NR signature can also be naturally generalized in the same way. 

In [9] C.H. Tan, X. Yi and C.K. Siew proposed a signature scheme using third 
order linear feed back shift registers. These LFSR’s are generated by irreducible 
cubic polynomials of the form f{x) = — ax^ + hx — 1 over the field GF(< 7 ). 

These cubic polynomials are assumed to have order Q = + q + 1, i.e., the 

* Yie and Kim’s work was supported by Basic Science Research Institute Program, 
Korea Research Foundation 1998-015-D00017. 
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multiplicative order of a root g € GF(g^) of f{x) is Q. Tan et. al. claimed that 
the security of their signature scheme is equivalent to the security of Schnorr 
signature scheme. We will call their signature scheme the TYS signature. 

In this paper we will compare XTR-NR signature and TYS signature. Al- 
though Tan et. al. didn’t refer to the trace projection, we will show that TYS 
signature can be described in terms of the third degree trace projection Tr : 
GF(q^) GF{q). Thus XTR and TYS signature will be shown to share the 
same computational tools. By comparing with XTR, we will show that TYS sig- 
nature, as it is, is not as secure as Tan et. al. claimed. In order to maintain the 
security of TYS signature as desired, one must bring in precisely the same con- 
ditions for parameters as in XTR. Then it will be apparent that TYS signature 
is essentially the same as XTR-NR signature scheme. Our conclusions are: 

1. Unless the parameters Q and f{x) are chosen very carefully, TYS signature 
scheme is not as secure as it was claimed to be. 

2. XTR scheme can be generalized so that the computation is done over an 
odd degree extension field GF(( 7 ) of GF(p). But in this case we lose much of 
the computational advantage of XTR we had in an even degree extension. 

2 Computational Tools 

In this section we briefly describe the computational aspects of XTR and TYS 
signature. Let p be a prime and g = p* be a power of p for some positive integer t. 



2.1 Description of XTR 

XTR starts with an irreducible polynomial of the form F(c,x) = x^ — cx"^ + 
a; — 1 over GF(g)[a;], where t = 2m is assumed to be even and c does not 
belong to any proper subfleld of GF(g). It follows then that the multiplicative 
order of a root g of F{c, x) is a factor of p^™ — p™ -I- 1 and c = Tr(g) and 
cP = Tr(p“^), where Tr is the trace projection of GF(g^) onto GF(g). 

In fact, one could have started describing XTR by considering irreducible 
polynomials of the form f{x) = x^ — ax^ + bx — 1. But once we assume, for 
security reason, that the order of a root g of f{x) divides p^™ — p™ -I- 1, it 
immediately follows that a = Tr(p) and b = Tr(p“^) = qP . 

Now XTR defines basically an Diffie-Hellman type key agreement scheme on 
the cyclic subgroup G generated by g in the multiplicative group GF(g^)^. But 
XTR uses Tr(ft-) to represent the element h G G to enhance the computational 
and communicational efficiency. Also for security concern and practical reason, 
the order of g is taken as a prime of at least 160 bits. 



2.2 Description of TYS 

TYS signature starts with a third order LFSR c„ = ac„_i — bcn -2 + Cn- 3 , n >3 
generated by a cubic irreducible polynomial of the form f{x) = x^ — ax^ + bx — l 
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over GF(g). The order of f{x), that is, the multiplicative order of a root g of 
f{x) is assumed to be Q = + g + 1. It follows then that a = Tr((/) and 

h = Tr(g“^), where g G GF(g^) is a root of f{x) and Tr : GF(g^) — > GF(<7) is 
the trace projection. Note that by Newton’s formula for elementary symmetric 
polynomials, we see that c„ = Tr(^”) for n > 1 (See [7]). Thus the set of c„’s is 
nothing but the set of Tr(ft,)’s for G G as in XTR. 

2.3 Computations 

Thus in both schemes, c„ = Tr(^") for large n will frequently be computed. To 
perform these computations efficiently, the following lemmas (Lemma 2.3 of [8] 
and Algorithm 1 of [9]) were employed: 

Lemma 2.1. Let q = = p^™' ■ Let F{c,x) = x^ — — 1 &e an 

irreducible polynomial over GF{q) and g he a root of F{c,x) in GF(q^). Lf we 
let Cn = Tr(5”), where Tr is the obvious trace projection, then we have following 
formulas. 

7 . Cn-\-2 — Cn-\-lC Cji(F -\~ Cn—1, Cn—1 — On-\-2 F , 

2. C2n = 4 - 2cP”' ; 

m 

C2n+1 — ^n^n-\-l 

m m 

4- C2n-1 = CnCn-1 ~ cP cf, + 

Lemma 2.2. Let f{x) = x^ — ax^ + hx — 1 he an irreducible polynomial over 
GF{q) and g be a root of f{x) in GF{q^). Lf we let Cn = Tr(^"), where Tr is the 
obvious trace projection, then we have following formulas. 

7 . C2n — 2C—n, 

2. C2n+1 — ^n^n+1 aC—n F C-n-\-l, 

id. C2n— 1 — ^n^n—1 bC—j, F C_^_l. 

Note that, in TYS signature, qP is meaningless since q may not be a square. 
However, the formulas in Lemma 2.2 are easily obtained from the formulas in 
Lemma 2.1 simply by replacing c by a, qP by b and by c_„. 

Following [3], we denote 5'„(c) = (cn_i, c„, c„+i) for any integer n. (Gau- 
tion: the notation in [9] is slightly different as Sk = (cfc, c^+i, Cfe+2).) Now if 
we are given S'o(c), *S'i(c), S'2(c), by repeatedly applying Lemmas 2.1 or 2.2 as a 
slight variation of the ‘square and multiply’ algorithm, we can quickly compute 

*5*71— i(c), 5*77+1(0). 

As we have seen so far, XTR and TYS signature have common computational 
feature. We give Table 1 as a summary of this section. 

Remark: In TYS signature, one has to compute both Cn and c_„ every time, 
whereas in XTR, c-n = ctf is for free once Cn is obtained. 

If we want to generalize the XTR scheme over the odd degree extension 
GF(4), where t is an odd positive integer, the first problem we face is that we 
cannot write a third degree polynomial of the form F{c, x) = x^ — cx^ + cF^x — 1 
because q is not a square. Also, q'^ — qFl is no longer a factor of — 1, the order of 




Comments on a Signature Scheme Based on the Third Order LFSR 311 



Table 1. Common computational feature 



Item 


Property 


Remark 


base field 


GF(g) 


q = p* . In XTR, t = 2m. 


polynomial 


f{x) = — ax^ + bx — 1 € GF(g)[a;] 


In XTR, a = c, b — . 


splitting field 


GF(g3) 




trace 


Tr: GF(g^) ^ GF(g) 




ambient group 


GF{q^)^ 




subgroup 


the cyclic group G generated by g 


g is a root of f{x). 


representation 


Tr{h) 


hGG 


computation 


C2n “ 2C — 7J, 

C2n + 1 — CnCn+l dC—n C — n-j-l 

C2n — 1 CnCn — 1 ^C—n ~h C—n—1 


In XTR, C-n can be 
easily computed as 



the multiplicative group GF(( 7 ^)^ . Instead, we have — 1 = (g — l)(g^ + g + 1). 
Thus we need to start, as in [9], with an irreducible polynomial of the form 
f{x) = — ax^ + — 1. If g is a root of f{x), then the norm N{g) of g 

is g® +9+1 = 1 . Therefore the order of /(x) automatically becomes a factor of 
+ g + 1 . Now the rest of computational setup will follow exactly in the same 
way as above. 

3 Signaure Schemes 

XTR-NR signature is a message recovery signature scheme and TYS signature is 
a signature scheme with appendix. But as was remarked in [3], signature scheme 
with appendix using XTR can be defined in the same way. We compare the 
XTR-NR signature and TYS signature and display the comparison as Table 2. 
Note that t is assumed to be an even number t = 2m for XTR. 

4 Security of TYS Signature 

Both XTR and TYS signature have their security based on DLP. Since every 
computation can be performed inside the splitting field GF(g^), the security level 
of TYS signature is at best equivalent to that of DLP in GF(g^). Also, since the 
only elements we deal with are elements of the cyclic subgroup G generated by 
a root g of f{x) = x^ — ax + bx—l, the security level of TYS signature is at best 
equivalent to that of DLP in G. Based on this observation, we discuss below the 
security of TYS signature scheme. 

4.1 If the Polynomial f{x) — — ax^ + ba; — 1 

is Defined over a Proper Subfield of GF(q) 

If the subgroup G can be caught inside a proper subfield K of GF(g^), then the 
security level will go down to the security level of DLP of K. This case occurs 
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Table 2. XTR-NR and TYS signature schemes 



Item 


XTR 


TYS signature 


Trace 


Tr: GF(p®™) ^ GF{p^'^) 


Tr: GF(p3‘) ^ GF(p*) 


irr. poly. 


fix) = — ax^ -1- X — 1, 

a £ GF(p2-) 

but not in any proper subfield 


fix) = x^ — ax^ + bx — 1, 
a,6e GF(p*) 


a 


a — Trig) for some g € GF(p®’") 


a = Trig) for some g £ GF(p®*) 


Order of g 


Prime factor Q of — p"* -|- 1 


Q = p2* -b p* -b 1 


Secret key k 


1< fc < Q- 2 


gcd(fc, Q) = l 


Nonce « 


Kz<Q-2 


gcd( 2 , Q) = 1 


Message 

Auth. 


h = HashiEKim)), 

E: agreed symmetric cipher, 
K = Trig^) 


h\ — H cish(^m^ '^^+ 2 ) 


s 


s — hk + z (mod Q) 


s = hik — z (mod Q) 


Sig. for m 


is, EKim)) 


is, m, Sk, Sk+i, Sk+ 2 ) 



exactly when the polynomial f{x) = — ax^ + — 1 is defined over a proper 

subfield of GF(g). Tan et. al. in [9] gave this condition implicitly by requesting 
the order oi f{x) to he Q = + q + 1. But requesting the order to be exactly 

q^ + q + \ makes it difficult to find the polynomial f{x). Also the vague role of 
Lemma 1 of [9] and the example below it may give wrong impression that one 
may even choose f{x) over the prime subfield GF(p). 

4.2 If the Order Q of the Subgroup Factors into Small Primes 

One of the known attacks on DLP is Pohlig-Hellman algorithm which is designed 
to work when the order of the group used is a product of small primes. Hence we 
should be careful in choosing the parameter Q so that it has a large prime factor. 
With respect to the current computing ability, it is usually required that Q must 
have a prime factor of at least 160 bits. When one construct a cryptographic 
scheme based on the subgroup DLP, it is a common practice to make the order 
Q of the subgroup to be a prime of at least 160 bits because of efficiency and 
security consideration. 

Thus, in order to make TYS signature secure as claimed, it is required to 
impose the condition that Q have a prime factor B of at least 160 bits. Unfor- 
tunately, if the order of the base field GF(< 7 ) is a square q = this condition 
is not enough. In that case, we have q"^ + q+ I = —p’^ + l) (p^™ -I- p™ -I- 1) . 

And if i? is a factor of (p^™ -l-p’” -I- 1), then the subgroup of GF(g^)^ of order 
B is in fact contained in the proper subfield GF(p^’”) of GF(g^). Therefore, if 
q = p^™ is a square, the condition should be stronger so that (p^™ — p™ -I- 1) 
have a prime factor of at least 160 bits. 
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5 Parameter Generation for TYS Signature 

Since Tan et. al. do not provide any method of generating parameters and since 
we need to add some restrictive conditions on parameters, we discuss how to 
generate parameters for TYS signature. The discussions about computation in 
Section 2 and about security in Section 4 show us that the parameter selection 
should be different according as whether q = p* is a, square or not. So we deal 
these two cases separately. Note also that the order Q of the polynomial f{x) 
doesn’t have to be + g + 1 but is enough to be a prime factor of + g + 1 or 
p 2 m _ least 160 bits according as t is odd or even. 

5.1 Parameter Generation when t Is Even 

In case q = is a square, Q is a prime factor of — p"* + 1 and the compu- 

tational detail of TYS signature becomes exactly the same as XTR. Therefore 
we can generate parameters the same way as we would in [8] for XTR. 

5.2 Parameter Generation when t is Odd 

In case q = p* is not a square, the description of XTR should be modified as 
we noted at the end of Section 2. In fact, if we fix the flaws reported so far, the 
computational feature of TYS signature can readily serve as the generalization 
of XTR over the odd degree extention field GF (q) . 



Selection oi q — p*. Since the security level of TYS signature (or XTR) is 
bounded by the security level of DLP in the splitting field GF(p^) and of DLP in 
the subgroup G, q^ must be selected so that these DLP’s are secure. Gurrently, 
q must be at least 1024 bits and the order Q of G, which is a prime factor of 
q"^ + q+1, must be at least 160 bits. 

If t > 1, since every computation will be done over GF(p*), it is desirable to 
have efficient arithmetic in GF(p*). Therefore, we need to select g = p* so that 
GF(p*) has good bases. Note that if t > 1 is odd, GF(p*) never has an optimal 
normal basis of type I. Not much is known about optimal normal bases of type 
II of extension fields with characteristic p > 2. Study on a good optimal normal 
basis of type II that is well suited for XTR-TYS scheme would be an interesting 
subject. 

Let us let t = 2m + 1. We will consider only the case when GF(p*) has an 
optimal normal basis of type II. In this case, 2t-|- 1 = 4m -I- 3 is a prime number. 
We further assume that t = 2m -I- 1 is a prime so that .^ 4^+3 has as many 
primitive elements as possible. Thus we made the situation similar to the case 
when t is even. 

We also need to construct the subgroup G of GF(p^‘)* = GF(p®'"+^)* of order 
Q so that G is not contained in any proper subfield of GF(p^‘) = GF(p®'"+^). 
The following Lemma, which follows directly from Lemma 2.4 of [2], gives a 
sufficient condition for a subgroup of GF(p®™+^)* not to be contained in any 
proper subfield of GF(p®™+^). 
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Lemma 5.1. Let Q he a prime factor of <Pem+ 3 {p), where <L>n{X) denotes the 
n-th cyclotomic polynomial. Then the subgroup o/GF(p®’"+^)* of order Q is not 
contained in any proper subfield 0 / 

The 3(2m+ l)-th cyclotomic polynomial <Pem+ 3 {x) in GF(p) are as follows: 



<Pq{x) = X® + + 1 



- <?( 



6m+3 



(x) = 



E^+fC + l 






2t , t , ^ 

X -\-x +1 

x'^-\-x-\-l ’ 



m > 1. 



Thus we have that if Q is Ei prime factor of p^* + p* + 1 of at least 160 
bits (assuming that p®* is of 1024 bits) then the subgroup {g) of GF(p®*)* with 
g € GF(p®‘) of order Q is not contained in any proper subfield of GF(p®*). 

Unfortunately, when t > 1, there is no known easy way of constructing such 
p, Q pair satisfying above conditions. One has to keep constructing prime num- 
bers p until p^‘ -I- p* -I- 1 has a prime factor Q of at least 160 bits. 



Selection of the Cubic Polynomial f{x) — — ax^ + hx — 1. As was 

noted at the end of Section 2, the irreducibility of f{x) = x® — ax^ + bx—l over 
GF(( 7 ) implies that the order of /(x) is a factor oi + q+1. However, it is very 
difficult to deterministically compute b from a given a, or vice versa, so that 
/(x) is irreducible. We give two ways of finding such (a, b) pairs, one of which is 
much preferable. 

One conceptually easier way is to start with an element g € GF(g®) whose 
norm in GF(( 7 ) is 1. Then a = Tr(p) and b = Tr(p“^). But when GF(< 7 ) is not a 
prime field (i.e., t > 1), it is not easy to compute the trace. 

Another way of generating /(x) is to randomly choose (a, b) pair and test 
whether x® — ox^ -I- 6x — 1 is irreducible. The probability for x® — ax^ + bx — 1 
to be irreducible for randomly chosen (a, b) is about 1/3. 



6 Conclusion 

In this paper we compared XTR-NR signature scheme and TYS signature scheme. 
We explained why these two schemes are essentially the same. In addition, we 
pointed out that TYS signature as it is has some flaws in their arguments and 
shown that in order to cure the flaws of TYS signature, one should bring in 
exactly the same security and efficiency consideration of XTR scheme as in [8] . 
As a summary we list the following: 

— To make TYS signature scheme secure, the order Q of the irreducible poly- 
nomial X® — ax^ -I- &x — 1 must have a prime factor B of at least 160 bits. 
The prime B should be a factor of p^‘ -I- p* -I- 1 when t is odd, and should be 
a factor of p^™ — p™ -I- 1 when t = 2m is even. 

— When t is odd, the cost of computation as well as communication is almost 
twice of that of t even case. Also if t is odd, we lose the advantage of XTR 
of easy generation of the cubic polynomial F{c,x). 
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— Thus for efficiency reason, it is desirable to take t to be even. Also for security 
reason, it is desirable to take the order Q of the cubic polynomial to be a 
prime factor of — p™ + 1 of at least 160 bits, where t = 2m. Then TYS 
signature scheme is practically a variation of XTR. 
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Abstract. Chaotic cryptology is widely investigated recently. This pa- 
per reviews the progress in this area and points out some existent prob- 
lems in digital chaotic ciphers. As a comprehensive solution to these prob- 
lems, a novel pseudo-random bit generator based on a couple of chaotic 
systems called CCS-PRBG is presented. Detailed theoretical analyses 
show that it has perfect cryptographic properties, and can be used to 
construct stream ciphers with higher security than other chaotic ciphers. 
Some experiments are made for confirmation. Finally, several examples of 
stream ciphers based on digital CCS-PRBG are given, and their security 
is discussed. 



1 Introduction 



Chaotic cryptography has received much attention in recent years, both digital 
and analog chaotic encryption methods have been proposed and analyzed [1,2, 



3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 



30]. Most analog chaotic ciphers are designed to realize secure communications 
through noisy channel using chaotic synchronization technique [1]. This paper 
chiefly focuses on the digital chaotic ciphers. 

The tight relationship between chaos theory and cryptography has been 
pointed out by some researchers [2,1,16,31]. Many fundamental characteristics 
of chaos, such as mixing and sensitivity to initial conditions, can be connected 
with those of good ciphers, such as confusion and diffusion. Since chaos the- 
ory has developed well in recent decades, and numerous chaotic systems can be 
employed in ciphers, chaos should be a new rich source of cryptography. 

Generally speaking, there are two chief ways to design digital chaotic ciphers: 
1) using chaotic systems to generate pseudo-random keystream to encrypt plain- 
text [3,5,6,7,8,10,11,12]; 2) using plaintext and/or secret key as the initial con- 
ditions and/or control parameters, iterating/counter-iterating chaotic systems 
n times to obtain ciphertext [2, 9, 13, 14, 15, 16]. The first way corresponds to 
the stream ciphers and the second does to the block ciphers. Some other ways 
also have been proposed [17,18,19]. Meanwhile, some efficient attacks have been 
presented [20,21,22,23,24,25]. In the following of this section, we will give a 
brief survey of the proposed digital chaotic ciphers, and discuss some problems 
existing in them. 
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1.1 Overview 

Digital chaotic stream ciphers: Many different chaotic systems have been 
employed to generate pseudo-random keystream, 2-D Henon attractor in [3], lo- 
gistic map in [10], generalized logistic map in [6], quasi-chaotic nonlinear filter 
in [7], piecewise linear chaotic map in [4,5,8,19], and first-order nonuniformly 
sampling digital phase-locked loop (DPLL) circuits in [11]. In [12] multiple dif- 
ferent chaotic maps are suggested, Bernoulli shift and logistic map are used for 
demonstration. The algorithms generating chaotic pseudo-random keystreams 
can be divided into three classes: Al) - extracting from some bits of the chaotic 
orbits [4,5,6,12]; A2) - determining by which interval the chaotic orbits reach 
[3,8, 10, 11]; A3) - just equaling the chaotic orbits themselves [7]. It should be 
noticed that some algorithms in A2) [8,10,11] can be considered as the corre- 
sponding ones in Al), and A3) can be deemed as a special case of Al). Several 
chaotic stream ciphers [3,6,7] have been known not secure enough [20,21,22,23]. 



Digital chaotic block ciphers: Inverse tent map is used by T. Habutsu et al. in 
a chaotic cryptosystem [13], in which the plaintext represents the initial condition 
of the inverse tent map and the ciphertext is obtained by iterating this map N 
times. Because of the weakness of piecewise linearity of tent map and the use 
of 75 random bits, E. Biham presented a known-plaintext attack and a chosen- 
plaintext attack to break it [24]. Zbigniew Kotulski and Janusz Szczepanski 
generalized the method presented in [13] using other chaotic systems [15,14]. In 
Jiri Fridrich’s chaotic cipher [16], 2-D digital Barker map is introduced to realize 
secure pseudo-random permutation of 2-D plaintext such as digital images. A 
discrete version of chaotic inverse system encryption approach is presented by 
Zhou Hong et al. in [9]. 



Other digital chaotic ciphers: M. S. Baptista suggested a new encryption 
method in [17]: a chaotic attractor is divided into S units representing different 
plaintexts, the ciphertext is the number of iteration from an initial value to the 
unit representing the plaintext, logistic map is used for demonstration. In [18], 
such an idea is introduced: run a chaotic system, and use a threshold to generate 
a pseudo-random sequence from its orbit, find the position that plaintext occurs 
in the sequence and take the corresponding information about the position as 
the ciphertext, tent map is used as an example. G. Alvarez et al. pointed out 
that it is not secure at all if the tent map is used [25]. Li Shujun et al. improve 
the original chaotic cryptosystem to resist the proposed attacks [19]. 

1.2 Problems 

Although many digital chaotic ciphers have been proposed and some of them 
have not been confronted with effective attacks, there are still many problems 
existing in them. To design a really good digital chaotic cipher, they must be 
carefully considered. The following is brief discussions on these problems: 
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1) Discrete Dynamics: When chaotic systems are realized discretely in 
finite computing precision, their discrete dynamics will be far different from 
continuous ones. Some severe degradation will arise, such as short cycle-length, 
non-ideal distribution and correlation, etc. This problem has been firstly no- 
ticed by J. Palmore, C. Herring [32] and D. Wheeler [21,22], and then Ghobad 
Heidari-Bateni [33]. Up till now, there is not an established theory to mea- 
sure the discrete dynamics of chaos exactly, and to indicate how to improve 
such degradation (we have proved some limited theoretical results in [34] re- 
cently). Only several engineering methods are suggested: using higher finite pre- 
cision [21,22], perturbation-based algorithm [4,5,35], and cascading multiple 
chaotic systems [33]. Actually, this problem is neglected in most digital chaotic 
ciphers [3,9,8,10,11,12,13,14,15,17,18], so their security cannot be adequately 
ensured. 

2) Employed Chaotic Systems: Because logistic map has been widely 
investigated in chaos theory and is very simple to be realized, it has been used by 
some digital chaotic ciphers [6,10,12,17]. However, only when control parameters 
r is 4.0, logistic map is a surjective function and has perfect chaotic properties. 
So r must be selected near 4.0 in these ciphers, which makes the key space 
much smaller. Other good candidates for simple realization are piecewise linear 
chaotic maps, such as tent map [13,18] and the ones used in [4,5,9,8,19]. But 
we must be very careful to use them since there exist some weaknesses for their 
piecewise linearity [24,25,34]. In fact, it is desired that a digital chaotic cipher 
can work well with a large number of chaotic systems; such a property is called 
chaotic-system-free in this paper. Several chaotic ciphers are chaotic-system- 
free to some extent [12, 15, 17, 18]. Some others can be chaotic-system-free since 
different chaotic systems are not essentially excluded by their design [10,11]. 

3) Encryption Speed: Some digital chaotic ciphers work so slowly that they 
are infeasible for real-time encryption [13,14,15,17,18,19]. While the chaotic sys- 
tems are running in finite precision, the floating-point or fixed-point arithmetic 
must be employed. Since the floating-point arithmetic is much slower than the 
fixed-point one, we suggest using fixed-point arithmetic as possible. But several 
chaotic systems defined by some complicated functions [6, 15] must run under 
floating-point arithmetic, they should be avoided in chaotic ciphers. The piece- 
wise linear chaotic maps are the fastest chaotic systems, since only one division 
and several additions are needed in one iteration. Another problem about the 
encryption speed is: in order to enhance security, many ciphers need multiple 
chaotic iterations to generate one ciphertext [9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19], 
which will lower the encryption speed. In addition, some ciphers [17,18,19] have 
time- variant speed, so they cannot encrypt plaintext with constant bit-rate, such 
as MPEG video stream. 

4) Practical Security: Most digital chaotic ciphers are claimed to be secure 
by the authors, but many of them are actually not. Because chaotic systems are 
deterministic systems, there are some tools in chaos theory to discern chaos. 
Once an intruder finds some information about the chaotic systems from their 
orbits, he might use such information to lessen the complexity of finding the 
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secure key. For almost all digital chaotic ciphers [2,1,3,4,5,6,7,9,8,10,11,13,14, 
15, 16, 17, 18, 19], the ciphertext directly depends on the chaotic orbit of a single 
chaotic system, so the extraction of such information may be possible. In fact, 
based on such a fact, many cryptanalysis methods [26,27,28,29,30] have been 
developed to break the analog secure communication approaches. If multiple 
chaotic systems are used [12,33], the cryptanalysis of chaotic ciphers will be 
more difficult since the output is determined by many different mixed chaotic 
orbits. 

5) Realization: Simple realization by hardware and software at low cost is 
a very important requirement for a good digital cipher. In consideration of the 
above fact, the fixed-point arithmetic is better than the floating-point one since 
the latter needs more cost. Another desired requirement is the extensible security 
with considerably more cost and complexity. In fact, problems of realization are 
the crucial factors influencing the use of a cipher in many final applications, 
since there are so many kinds of ciphers that can provide enough security. 

Although many problems have not been settled in most digital chaotic ci- 
phers, we still believe that the chaotic and conventional cryptology will benefit 
each other from the mutual relationship between them; some other researchers 
hold the same opinion [2,1,16,31]. In this paper, we suggest a comprehensive so- 
lution to the existent problems. A novel pseudo-random bit generator (PRBG) 
based on a couple of chaotic systems, called CCS-PRBG, is presented, which 
has perfect cryptographic properties and can be used to construct stream ci- 
phers with high security. In these ciphers, most above-mentioned problems can 
be overcome satisfactorily. 

The outline of this paper is as follows. In Sect. 2, CCS-PRBG and its digital 
realization with finite precision are introduced. Analyses on cryptographic prop- 
erties of CCS-PRBG, including some experimental results, are given in Sect. 3. 
In Sect. 4, several examples of chaotic stream ciphers based on CCS-PRBG are 
established; discussion on the security is also given. The conclusion is given and 
some open research topics are pointed out in the last section. 

2 Couple Chaotic Systems Based PRBG (CCS-PRBG) 

As mentioned in Sect. 1, using chaos to generate pseudo-random numbers (PRN) 
is a general way to design digital chaotic stream ciphers. Besides in chaotic 
cryptography area, chaotic pseudo-random number generators (PRNG) have also 
attracted much attention in other research areas, such as communications [36,33, 
37] and physics [38] . Most chaotic PRNG-s are based on single chaotic system and 
generate PRN directly from its orbit. In Sect. 1.2, we have discussed that such 
chaotic PRNG-s are potentially insecure, since the output PRN may expose some 
information about chaotic systems. In this paper, we present a novel pseudo- 
random bit generator (PRBG) based on a couple of chaotic systems, which 
can provide higher security than other ciphers because two chaotic systems are 
employed to generate PRN. Here, we call it CCS-PRBG as abbreviation. Since 
the PRN is generated by comparing two different chaotic orbits, it is difficult 
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for an eavesdropper to extract information about both chaotic systems. More 
detailed discussions on security will be given in Sect. 4, after some chaotic stream 
ciphers based on CCS-PRBG are described. 

2.1 Definition 

Assume there are two different one-dimensional chaotic maps Ai(xi,pi) and 
F 2 {x 2 ,P 2 )' xi{i + 1) = Fi{xi{i),pi), X 2 {i + 1) = F 2 {x 2 {i),P 2 ), where pi,P 2 
are control parameters, a;i(0), X 2 ( 0 ) are initial conditions, and {xi(i)}, {x 2 {i)} 
denote the two chaotic orbits. 

Define a pseudo-random bit sequence k{i) = g{xi{i),X 2 {i)), where 

{ 1 , Xi > X2 

no outut, xi = X 2 ■ (1) 

0 , Xi < X2 

When some requirements are satisfied, the chaotic PRBG will have perfect 
cryptographic properties and be called “a Couple of Chaotic Systems based 
Pseudo- Random Bit Generator” (CCS-PRBG). These requirements are: Rl) 
- Fi{xi,pi) and F 2 {x 2 ,P 2 ) are surjective maps defined on a same interval I = 
[a,b]; R2) - Fi{xi,p\) and F 2 {x 2 ,P 2 ) are ergodic on /, with unique invariant 
density functions fi{x) and f 2 {x); R3) - One of the following conditions holds: 
fi{x) = f 2 (x) = f{x), or fi{x), f 2 (x) are both even symmetrical to x = (a-|-5)/2; 
R4) - {xi(i)}, {x 2 {i)} are asymptotically independent as i ^ oo. 

If one of chaotic map is replaced by a constant c € I, k{i) will be simplified to 
the pseudo-random sequence in [11] and the chaotic threshold sequence in [36]. 
From such a viewpoint, CCS-PRBG can be regarded as the generalized version 
of them with “pseudo-random and time- variant threshold parameter” 

2.2 Digital Realization with Perturbation 

It is obvious that CCS-PRBG can be applied to both analog and digital chaotic 
ciphers. We will only consider digital CCS-PRBG in this paper. The perturbation- 
based algorithm in [4] is suggested improving statistical properties of digital 
CCS-PRBG. The algorithm can be described as follows. 

Use two PRNG-s to generate two pseudo-random distributed signals which 
are used to perturb I lowest bits of {xi(t)}, {x 2 {i)}, with intervals Z\i, A 2 [4]. The 
maximal length linear feedback shift registers (m-LFSR) are the best perturbing 
PRNG-s for hardware realization, and the linear congruential generators for 
software realization [39]. Different from [4], this paper suggests determining I as 
follows: I > [A-log 2 e] = [1.44A] , where A is Lyapunov exponent of the perturbed 
chaotic map and [x] denotes the least integer not less than x. It is based on such a 

^ gi(xi, X 2 ) can be considered as follows: one chaotic orbit is binarized by anther chaotic 
orbit, the second chaotic orbit behaves like the threshold constant in [36,11]. 

^ Please see [4] for more details on how to generate the perturbing signals. Of course, we 
can use some other generation algorithms, the only requirement is that the generated 
signals should be pseudo-randomly distributed. 
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Fig. 1. The digital CCS-PRBG with pertnrbation 



fact: when the finite computing precision is n (bits), the least difference between 
two signals 2“"’ will become • 2“"’ after one iteration averagely (under fixed- 
point arithmetic). To keep the characteristics of the chaotic systems, I <C n 
should also be satisfied. Although the perturbing signal is much smaller than 
chaotic signal, it can still drive {xi(i)}, {x 2 {i)} to a very complex way since chaos 
is sensitive to initial conditions. The combination of digital chaos and pseudo- 
randomness of PRNG-s will make both chaos-theory-based and conventional 
cryptanalysis difficult. 

Another trivial problem existing in digital CCS-PRBG is: when x\ = X 2 , 
g{x\^X 2 ) will not output pseudo-random bit. An extra simple PRNG-3 can be 
introduced to determine k{i). The digital CCS-PRBG with perturbation is shown 
in Fig. 1. We can see that it can be easily realized by both hardware and software. 

3 Cryptographic Properties of Digital CCS-PRBG 

For {k{i)} generated by digital CCS-PRBG, the following cryptographic prop- 
erties are satisfied: 1) balance on {0, 1}; 2) long cycle-length; 3) high linear 
complexity approximating to half of the cycle-length; 4) (5-like auto-correlation; 
5) cross-correlation near to zero; 6) chaotic-system-free (see Sect. 1.2). Detailed 
discussions are given as follows, with some experimental results. 

3.1 Balance 

Theorem 1. If two chaotic maps satisfy the above requirement R1-R4, we can 
get P{k{i) = 0} = P{k{i) = 1}, i.e., k{i) is balanced on {0, 1}. 

Proof. Because Fi{xi,pi) and F 2 {x 2 ,P 2 ) are ergodic on / = [a, 6] (requirement 
R2), the orbits generated from almost all initial conditions will lead to the 
same distribution functions fi{x), f 2 {x) [40]. From requirement R4, the orbits 
{xi{i)},{x 2 {i)} are asymptotically independent, so the probabilities of xi > X 2 
and xi < X 2 &s i ^ oo will be: 
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P{xi > X 2 } 



P{xi < X 2 } 



[ [ fi{x)f2{y)dydx 

J a J a 

rr f 2 {x)fi{y)dy dx 



J a J a 

When requirement R3 holds, we can prove P{xi > X2} = P{x\ < X2}' 
R3-l)fi{x) = / 2 (x) = f{x): 



( 2 ) 

(3) 



P{xi > X2} = P{xi < X2} 



f{x)f{y) dy dx. 



(4) 



R3—2) fi{x),f 2 {x) are both even symmetrical to a: = (a + b)/2: 

Define the mirror orbits of xi,X 2 as = 6 — xi,X 2 = b — X 2 - From the 
symmetry of /i(x),/ 2 (x), x'i,X 2 will have the same distribution /i(x),/ 2 (x), 
then we have: 



P{xi > X 2 } = P{x'i < x' 2 } = 




f 2 (x')fi{y') dydx = P{xi < X 2 }. 



(5) 



Consider xi > X2 ^ k{i) = 1 and Xi < X2 ^ k{i) = 0, P{xi > X 2 } = 
P{xi < X2} P{k{i) = 0} = P{k{i) = 1}. The proof is complete. 



Apparently, the above deduction is still based on the continuous conditions. 
When chaotic systems are discretely realized with perturbation, every chaotic 
orbit will be perturbed timely to a certain neighbor orbit by the small per- 
turbing signal. Consequently, almost all orbits reach to the discrete versions of 
fi{x),f2{x) with a little smoothing. For the discrete versions of /i(x), / 2 (x), the 
above deduction also holds if / is replaced by X) Therefore, the balance will 
be approximately preserved in the digital CCS-PRBG with perturbation. 



3.2 Long Cycle-Length 

When the ergodic chaotic systems are realized continuously, the cycle-length will 
be infinite for the orbit beginning at almost every initial condition [40] . However, 
as we have pointed out in Sect. 1, when they are discretely realized with finite 
precision, the short cycle-length problem will arise. Employing perturbation can 
solve this problem. Without loss of generality, assume two m-LFSR-s are used as 
the perturbing PRNG-s, whose degrees are Li,L 2 , and perturbing intervals are 
Z\i, A 2 . Then the cycle-length of xi(t)}, {x 2 {i)} are criZ\i(2^i — 1), CT2A2(2^= — 1), 
where cti,(T 2 are two positive integers [4]. So the cycle-length of {k{i)} will be: 

lcm(criZ\i(2^i - 1), cr22\2(2^2 - 1)). (6) 

® Equation (2) and (3) are replaced by P{xi > X 2 } ~ ' 

P 2 {X 2 = y} and P{X 2 > xi} = ' -^1 {®2 = v} ■ From the 

approximate symmetry to a; = 1/2 of xi,a :2 when a digital CCS-PRBG is realized 
with perturbation, we can obtain the following result P{xi > X 2 } ~ P{x\ < X 2 }. 
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When Ai,A 2 and Li, L 2 are selected to satisfy gcd(Z\i,Z\ 2 )=l and gcd(2'^i— 1, 
2^2 — 1 )= 1 , the cycle-length of {A:(i)} will be: 

lcm(cri,cr 2 ) ' AiA2(2^^ ~ 1)(2^" - 1) « lcm(cri,(T 2 ) • Z\iZ\22^i+^^ (7) 

Such a cycle length is long enough for most secure applications. Furthermore, 
there are still some methods that can be used to further prolong the cycle length, 
such as the one in [5]. 

3.3 High Linear Complexity and Good Correlation Properties 

Actually, the requirement R4 and the balance of {A:(t)} imply that {A:(t)} is an in- 
dependent and identically distributed (i.i.d.) bit sequence as t ^ 00 . Therefore, 
it will have i5-like auto-correlation and near-to-zero cross-correlation. What’s 
more, it has been proved (see [41]) that i.i.d. binary sequence has half-length 
linear complexity, so {k(i)}f_i will also have high linear complexity approximat- 
ing to n/2 So let us discuss under what condition requirement R4 will be 
satisfied for digital CCS-PRBG. 

For any chaotic maps, even if the initial conditions or the control parame- 
ters have a very small difference, their orbits will become entirely different after 
limited iterations. If there is some initial information about the orbits, the infor- 
mation will decrease to zero as i ^ 00 . The relation between two chaotic orbits 
can be considered as such information. In chaos theory, Kolmogorov entropy is 
defined to measure the decreasing rate of the information. For one-dimensional 
chaotic maps, Kolmogorov entropy is equal to Lyapunov exponent [42]. If the 
initially known information is H, it will lose completely after rj Ki H/X itera- 
tions [11], where A is Lyapunov exponent. When chaotic systems are realized 
discretely, the information will decrease even faster since the quantization errors 
and small perturbing signals makes two orbits depart faster. So we can see, as 
long as there is initial difference between two chaotic orbits, they will become 
asymptotically independent as i ^ 00 . Therefore, the equivalent requirement of 
R4 is {xi(i)} yf {x 2 {i)}, that is to say, Fi yf F 2 , or xi( 0 ) yf X 2 ( 0 ), or pi yf p 2 - 

Because the independence of |a:i(z)}, |a: 2 (*)} holds after ry iterations, we sug- 
gest discarding the first m bits of {/c(z)}, where m > 77 . It means m pre-iterations 
for the two chaotic maps should be done before {fc(z)} is output. Since m is not 
very large, such pre-iterations need only a little extra computation. 

Although analyses given here are entirely theoretic, the experiments strongly 
support the theoretical results (see the following Fig. 2. and Sect. 3.5 for more 
details). In the future research, we will try to find the strict proof of {k{i)} 
generated by CCS-PRBG is real i.i.d. binary sequence. 

3.4 Chaotic-System-Free Property 

Consider there are many chaotic maps satisfy the requirements R1 and R2, 
and the requirement R3 and R4 just restrict the relation between the two 



^ The cycle-length of {fc(i)} is L = lcm(o-iAi(2^^ — 1), ( 72 ^ 2 ( 2 ^^ — 1)), not infinity. 
Hence, the linear complexity of {fc(i)}“i should be about L/2, not infinity either. 
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chaotic systems, CCS-PRBG is chaotic-system-free obviously. Since piecewise 
linear chaotic maps satisfy the requirements R1-R4, they are strongly suggested 
being used, from the viewpoint of the encryption speed and realization (recall 
section 1.2). 
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Fig. 2. Cryptographic properties of digital CCS-PRBG 



3.5 Experimental Results 

In order to verify the theoretical results on cryptographic properties of digital 
CCS-PRBG with perturbation, some experiments are made. The two chaotic 
maps are both selected as the following piecewise linear maps define on / = [0, 1], 
which are used in [9] and detailed analyzed in [34]: 

( xjp, a:G[0,p) 

Fi{x,p) = F 2 {x,p) = F{x,p)= x&[p,\], (8) 

[ F{l-x,p), xe[^,l] 



CCS-PRBG and Its Applications in Stream-Cipher Cryptography 325 



The finite computing precision is n = 32 (bits). The perturbing PRNG-s 
are selected as two m-LFSR-s, whose degrees are L\ = 16, L 2 = 17 and whose 
perturbing intervals are Ai = 99, Z \2 = 101. The number of pre-iteration m is 
16. Both initial conditions and control parameters are generated randomly, and 
a large number of sub-sequences of k{i) are extracted from random positions 
to test the cryptographic properties. The 0:1 ratio, linear complexity and auto- 
correlation of one sub-sequence are shown in Fig. 2a-c respectively. In Fig. 2d, 
the cross-correlation of two sub-sequences with identical initial conditions but 
slightly different (2“") control parameters is given. We can see the experimental 
results coincide well with the theoretical analyses. 

4 Construct Stream Ciphers Using Digital CCS-PRBG 

Based on digital CCS-PRBG, many different practical stream ciphers can be 
constructed. We will see these stream ciphers can provide feasible solutions to 
the problems existing in other digital chaotic ciphers. Using different configu- 
rations of CCS-PRBG, many stream ciphers can be obtained conveniently with 
considerably low cost and simple realization. Here, digital CCS-PRBG replaces 
the kernel role of LFSR in conventional stream-cipher cryptography. 

4.1 Some Examples of Stream Ciphers 

• Cipher 1: Give a digital CCS-PRBG with perturbation, initial conditions 
xi( 0 ), 0:2(0) and control parameters pi,P 2 are the secure key. |A:(i)} is directly 
used to encrypt (generally XOR) plaintext and decrypt ciphertext. 

The above Cipher 1 is the simplest stream cipher based on digital CCS- 
PRBG. If finite computing precision is n (bits), the key entropy will be 4n. 
Moreover, it is easy to be realized by hardware or software with rather low cost. 
On a Pentium III 800MHz PC, a software version based on piecewise linear 
chaotic map ( 8 ) is developed with Turbo C 2.0 for test. The actual encryption 
speed reaches 9 Mbps under fixed-point arithmetic. Such a speed is faster than 
many other chaotic ciphers and can be acceptable in many secure applications. 
Under hardware realization, the speed will be promoted much. 

If some simple modifications are made on cipher 1, some enhanced stream 
ciphers with larger key entropy (higher security), faster speed can be obtained 
with a little extra complexity and cost. Two examples are given as follows. 

• Cipher 2: Give four one-dimensional chaotic systems CSq ~ C'S' 3 , and five m- 
LFSR-s m-LFSRo ~ m-LFSRi, in which m-LFSRo ~ m-LFSRs are used to 
perturb CSq ~ C'S' 3 . Before each iteration of CSq ~ CS 3 , firstly use m-LFSRi 
to generate two 2-bits pseudo-random numbers pnl{i) and pn2{i). If pn2{i) = 
pnl{i), do pn2{i) = pnl{i) 0 1. Then select CSpni{i) and CSp„ 2 (i) to compose 
the digital CCS-PRBG to generate k{i). The secure key contains the initial 
conditions and control parameters of the four chaotic systems. 

The key entropy will be 8 n under n (bits) computing precision. m-LFSRi 
adds more complexity to the cryptanalysis so such a cipher is securer, with only 
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double cost of realization and approximate encryption speed to cipher 1. 

• Cipher 3: For piecewise linear chaotic maps defined on / = [0, 1], such as the 
map (8), the invariant density functions are /(x) = 1. When they are realized 
discretely, every bit of the orbits will be balanced on {0, 1}. Based on such a fact, 
we can define a generalized version of digital CCS-PRBG. Here assume finite 
computing precision is n (bits). For one iteration of Fi{xi,pi) and F2{x2,P2), 
generate n bits K{i) = fco(*) ■ • ■ fcn-i(i) as follows: 
for j = 0 to n — 1 do 
xi(i, j) = xi{i) > j 
X2{i,j) = X2{i) < 3 
kj{i) = g{xi{i,j),X2{i,j)) 

end 

Where (<C) denotes circular right (left) shift operation. Apparently, a stream 
cipher based on generalized CCS-PRBG will run nearly n times faster than the 
one based on common CCS-PRBG, without loss of high security. When cipher 3 
is realized by hardware with parallel arithmetic technique, the encryption speed 
of cipher 3 will close to s Mbps when the clock frequency is s MHz Such a 
speed approximately equals to the speed of many conventional stream ciphers 
based on LFSR-s, such as Geffe generator and clock-controlled generator, and 
faster than some complicated stream ciphers [39]. If we combine cipher 2 and 
cipher 3, both the security and the encryption speed can be improved much. 
Actually, in order to further enhance the security of Cipher 3, we can introduce 
another m-LFSR^ to pseudo-randomly control the direction of the circular shift 
operation of Xi and X2- 



4.2 Security 

Generally speaking, the security of the above ciphers can be ensured by the 
perfect cryptographic properties of digital CCS-PRBG. But we have known that 
many chaotic ciphers are not secure although they have some “good” statistical 
properties. So we should still investigate whether or not the ciphers based on 
digital CCS-PRBG is secure enough to known cryptanalysis methods. 

Many methods have been proposed to break analog chaotic encryption sche- 
mes, such as chaotic masking, switching and modulating approaches [26,27,28, 
29,30]. They work well because chaotic synchronization makes it possible to 
extract dynamical information of the chaotic systems. Since the transmitted 
signal must be used to realize synchronization of the transmitter and receiver, 
such information may be useful to restore the chaotic orbit and then extract 
the hidden message. For digital CCS-PRBG, because chaotic synchronization is 
not used and two different chaotic orbits are employed to make pseudo-random 
keystream k{i), the dynamics of the two chaotic systems cannot be obtained 

® Apparently, the speed is chiefly determined by the fixed-point divisions needed in 
chaotic iterations. Since a n-bit digital divider consumes about n clock cycles for 
one n-bit division, the encryption speed of cipher 3 will be close to ^ ■ n = s Mbps. 
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from the ciphertext. In addition, the pseudo-random perturbation also makes 
the cryptanalysis more difficult. Even if the plaintext is known, it is impossible 
to extract the two chaotic orbits just from k{i). Hence, those methods, which 
are available to break secure communication approaches based on chaotic syn- 
chronization, cannot be used to break the ciphers based on digital CCS-PRBG. 

Other known cryptanalysis methods aim at different weaknesses of concerned 
chaotic ciphers. The one in [21,22] is available because of the degraded statistical 
properties of discrete chaotic systems, which has been considered carefully and 
been avoided by perturbation-based algorithm in digital CCS-PRBG. The one in 
[20] is based on a specific weakness of 2-D Henon map and cannot be generalized 
to other chaotic systems. The ones in [23, 24, 25] can work well for the special 
weaknesses in the corresponding ciphers and also cannot be extended to break 
CCS-PRBG based ciphers with entirely different encryption structure. 

We can see the ciphers based on digital CCS-PRBG are secure to all known 
cryptanalysis methods of chaotic ciphers. Of course, before we can finally say 
“digital CCS-PRBG based ciphers are secure enough” , further research on crypt- 
analysis of digital CCS-PRBG should be done. But the above discussion implies 
that digital CCS-PRBG may be a new promising candidate to construct stream 
ciphers with high security and low cost. 

There is one notable defect in digital CCS-PRBG that should be mentioned 
here. Assume xi(0) = X2(0), when the control parameters are pi,P 2 , the gen- 
erated pseudo-random bit sequence is k{i); exchange the control parameters of 
the two chaotic maps, the generated pseudo-random bit sequence is k'{i). If the 
two chaotic maps are perturbed with identical perturbing PRNG-s and identical 
perturbing intervals (Z\i = A 2 ), it is obvious that k'{i) = k{i), which is the nat- 
ural result of g{x 2 ,xi) = g{x\,X 2 )- Such an effect will cause the key space size 
of the ciphers decrease 1/2. To avoid this defect, different perturbing PRNG-s 
or perturbing intervals should be used, and m > max(Z\i, A 2 ) is suggested. 

5 Conclusion 

Nowaday digital chaotic ciphers are surveyed, and some existent problems in 
them are discussed in this paper. A novel chaotic PRBG called CCS-PRBG is 
proposed to solve these problems. Theoretical analyses and experiments show 
that digital CCS-PRBG has perfect cryptographic properties. The digital CCS- 
PRBG can be a kernel part in the design of new stream ciphers. In the future, 
some details on hardware realization of CCS-PRBG based stream ciphers will 
be concerned. As we have mentioned in Sect. 3.3, the strict proof of {fc(t)} is 
i.i.d. sequence will be further studied, too. Possible cryptanalysis methods of the 
digital CCS-PRBG will be another open topic. 
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Abstract. For decades cryptography strived for its goals by packing 
complexity into the exposed program, all the while pressing down the 
size of the secret key. Alas, modern technology (1) makes small keys 
a secondary requirement, (2) allows for layering of program logic, and 
(3) offers privacy and security offenders clever eavesdropping tools; alto- 
gether warranting a re-examination of the relative roles of the “passive” 
key and the “active” algorithm. We describe a working system where the 
nominal key is merged with some JavaScript code to become the “effec- 
tive key,” thereby conferring upon the JavaScript interpreter (standard 
part in modern browsers), the role of the exposed cryptographic algo- 
rithm. We show that such Key-Script offers equivocation, (deniability), 
and we provide a secure key-distribution scheme that is not based on 
one-way functions, rather on the attribute of equivocation. We examine 
this new setting, and argue that it formally defeats cryptanalysis, where 
in practice such robustness is somewhat qualified. 



1 Introduction 

To “cook” a plaintext into its corresponding ciphertext, two standard ingredients 
are customarily needed: an encryption algorithm, and an encryption key. Over 
the years, the key was envisioned as a secret bit sequence, and the algorithm was 
a process that operated on the plaintext and the key as two sources of passive 
data. The result of the operation was the ciphertext. 

Early in the life of the profession, the acclaimed Dutch cryptographer, A. 
Kerckhoff formulated his famous principle which clarified the functional distinc- 
tion between key an process. The process, Kerckhoff argued, should be open for 
broad examination, so that any mathematical weakness therein would be readily 
exposed. In turn, absence of such discovered weakness builds users’ confidence 
in its merit. The key, said Kerckhoff, is the sole element of the system which 
should remain secret (apart from the plaintext, of course). 

Based on this much regarded principle, we may switch around our definitions. 
The key will be defined as the element that, if changed, restores full security to 
a compromised system. In other words, by equipping a fully penetrated system 
with a new key, it is as if it was never penetrated. 
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This, or the former definition, does not restrict the key to a specific format. 
The definition is functional. Same for the process. It is only by tradition that 
the key and the process have settled into die-cast formats. The key is invari- 
ably a rather small random bit sequence, and the process is almost invariably 
fixed in terms of its operation. Thus the following setup will be considered non- 
traditional: 

Case I: Process: RSA Encryption, (R); DES Encryption, (D); choice-al- 
gorithm, (C). 

Key: random-sequence of bits. (K). 

Based on the parity of the key the choice-algorithm will decide whether to 
activate DES, or RSA. 

This is a case of compounding well known encryption packages. One might ar- 
gue that there is no practical reason for such a setup because the two algorithms 
are so different from each other, and each is best for particular circumstances. 
Accordingly it would be foolish to pack one grand-encryption box with R-l-D-l-C 
above. Such argument may be valid on its merit, but it is premature. We first 
want to stress the option of compounding and how it fits into the standard def- 
initions of key and process. 

Case II: Opposite to compounding we find the case of disassembly: In any 
particular version of DES the plaintext block and the key undergo a fixed se- 
quence of processing steps. Now suppose that the “P-boxes” and the “S-boxes” 
are implemented as individual processing units, and the key contains bits which 
specify which of the boxes to use, in which order. In other words, the processing 
configuration is not fixed, as in the DES standard, but rather dependent upon 
the contents of the key. Even the block size may be key dependent. 

Case III: A process comprised of DES, (D), and Null, (N) where Null is a 
“do nothing” operator: input = output. The key is a stream of bits such that 
one of its attributes determines whether D or N is activated. 

We now examine these three cases according to Kerckh off’s principle. On its 
face all three cases comply with Kerckhoff’s dictum. Alas, Kerckhoff calls for 
examination of robustness of the open algorithm. In Case-I, assuming that both 
DES and RSA are robust, then the combined set up is also robust. In case II 
it is an open question. The key may dictate such a combination of P-boxes and 
S-boxes that the result will be easy prey for cryptanalysts. Accordingly Case- 
II is suspect because the process (the open part) does not contain sufficient 
information to allow an examiner to determine robustness. Case-Ill is weak on 
its face. If the key determines the Null processor, then the message is in the 
clear. A further examination will qualify that conclusion. The Case-Ill setup 
could be an intermediate step in an encryption series. In that case the input will 
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be ’garbled’ (looking like ciphertext), and on examination of the output it would 
be impossible to determine prima facie that the Null option was used, (rather 
than DES). 

So far this analysis seems very academic. To avert this reaction, we now 
consider the major proposition of this article. But before that we review the 
modern trend for distributed computing. 

Before browsers came to be, one could display graphics on a screen by commu- 
nicating to the local computer a bit-by-bit pixel representation of that graphics. 
The data volume was prohibitive. With browsers, the communicated file contains 
instructions for the local computer to construct the graphics on its own. The 
construction instructions are much smaller in volume than the actual picture. 
Similarly browser-associated languages, like VisualBasic Script and JavaScript 
contain computing parameters which are processed by the browser itself. The 
browsers grow bigger, more efficient and more powerful, and the programs be- 
come smaller and by reference also more powerful. Say then that smaller and 
smaller data volume of a browser-associated language will generate more and 
more action. 

Also, as a modern trend: the cryptographic key is no longer a letter sequence 
one spy remembers by heart, it is rather a lengthy, random looking, bit sequence. 

Taking these trends together, one may wonder: is it possible and advisable 
to merge the nominal key with some script language code to create a functional 
“key” which will refer to the browser (or the script interpreter therein), as the 
Kerckhoff open process? 

2 Script Key 

We consider a binary file (Ks) which when processed by a browser program is 
interpreted as an HTML code with a script language embedded therein. The Ks 
file will order the browser to open two text windows on the screen. One marked: 
plaintext, (the p-window, or the message window), and one marked ciphertext 
(the c- window, or the encryption window). The user types in a message in the 
p-window (or pastes one from the clipboard), then clicks a clearly marked “en- 
crypt” button, which causes the system to generate a ciphertext, C, which is 
placed at the c-window. The ciphertext, comprised of only printable characters 
may be pasted into the clipboard and from there attached to emails, or files, 
as the user sees fit. The same ciphertext can be pasted back to the c-window, 
at any time, and by pressing a clearly marked “decrypt” button, the system 
reverses the former process and regenerates the original plaintext message in the 
p-window. (From where it can be taken to any other application). This setup is 
a complete encryption/decryption system We can write: C = Br(Ks,P).^ 

Where C and P are the ciphertext and plaintext respectively, Br is the 
browser program, and Ks the HTML/Script file. The browser, Br, is fully spec- 
ified. Ks serves as the formal, or functional key for this system. 

^ While a script allows for a limited size message to be placed in the window, a file- 
based eqnivalent can be easily extended from this simple script configuration. 
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There are several glaring distinctions between Ks and the traditional key 
(Kt). Kt has a known fixed length, but its bit sequence is unrestricted. Ks may 
be of any desired length, but its contents must comply with HTML/Script spec- 
ification. This is the seminal difference. Because if Ks where of fixed, known size, 
it would have been patently inferior to Kt, since statistically most of the ran- 
dom combinations for Ks would not constitute a valid sequence of HTML / Script 
statements. However, a browser will process an HTML/Script file of any length; 
statement by statement as long as it lasts. A cryptanalyst ignorant about the 
key and its length, will have to suspect any combination of legal HTML/Script 
statements. 

Moreover, browsers grow. Early versions of Internet Explorer, and Navigator 
provided the JavaScript method: Math.random() without a seed. In later ver- 
sions Math.random(seed) appeared. In future versions one might expect a choice 
among specific generators, say: 

Math. random. LFSR[32, 11, 5](seed) 

specifying the LFSR method with 32 bits long register where the 32nd, the 11th, 
and the 5th bits are XOR-ed to generate the new leftmost bit. As of today, such 
special case generator must be implemented in the JavaScript file (Ks). The 
more elaborate the browser, the shorter Ks, for the same results. Now, browsers 
are mainstay software, and there is a great deal of economic pressure to develop 
them, refine them and add more and more capabilities, much beyond the cause 
of encryption. But encryption can take a ride on this trend. 

Shift registers are notoriously inefficient in software compared to their hard- 
ware implementation. Accordingly, if the volume will justify it, an LFSR may 
be firmware or hardware supplied to support the browser. 

For an HTML/Script file to serve as a valid key there is a need to change 
it quite often, and properly. This requirement is analogous to the nominal key 
generation challenge. Borrowing from modern computer lingo, we refer to Ks 
generation as mutant-generation: generating mutants to a given Ks file, so that 
a cryptanalyst will be unable to discover it. 

3 Mutant Generation 

Functionally this is a parsing capability combined with data manipulation and 
symbolic manipulation. The mutant generator program will operate on a given 
Ks and generate a different K’s, or many distinct ones. 

It is a rather simple task to recognize data statements and change the data 
around. For example, the following JavaScript function substitutes numerals 
with strings of four symbols comprised of: X,Y,Z, and W: 
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function numeric (number) 

{ 

line = "0YZZY1YZZZ2ZXXX3ZXXY4ZXXZ5ZXYX6ZXYY7ZXYZ8ZXZX9ZXZY" ; 
place = line . indexOf (number) ; 
if (place == "-1") return place; 

else numericxyz=line . substring( (place+1) , (place+5) ) ; 
return numericxyz; 

} 

The mutant generator will find the “line =” line and randomize the string to 
the right, complying with the rule that all digits 0-9 will appear in some order 
and between them there will be a non-repeat sequence of the letters X,Y,Z,W. 

We have seen lately a fascinating advance in symbol manipulation: the abil- 
ity to generate mutants based on modifying the symbols that dictate the logic 
followed by the browser. It’s an irony that the most brilliant examples thereof 
are exhibited by malicious viruses which mutate to evade tracking software - 
and quite successfully. 

The mutant generator itself may, or may not be exposed. What matters is 
that the key space (mutant variability) will be large enough. In principle it is 
the unspecified length of Ks which guarantees unbounded variability, in theory 
at least, if not in practice. One must note that as mentioned before, per given 
key size Ks is much more restricted than Kt. 

The open ended key space, also offers a shot at equivocation. 

4 Equivocation 

The prevailing cryptographies suffer from a serious weakness, cryptographers 
don’t like to talk about: zero equivocation. A DES cipher is highly unlikely to 
find a second key (not the one actually used) that will decrypt it to a plausible 
message. Same for RSA, elliptic curves, etc. This means one must rely on the 
assumption of intractability, that it is sufficiently difficult to locate the one and 
only key. There is no dispute that once found, it can not be repudiated because 
there is no other key to repudiate it with. Equivocation is the probability that 
more than a single plausible message will fit a given ciphertext. 

With HTML/Script keys one could pose the following question: Consider a 
cipher C, generated from plaintext P by Kg. Now picking a message of choice 
P', is it possible to construct an HTML/Script file, K(, such that: 

C = Br(Kg,P) =Br(K',P') (1) 

We describe a procedure to accomplish this task. We write: (omitting the 
subscript, s, for clarity): 

K'(C,P') = K;(Ca,P'J +KUCb,P'b) + Klb (2) 

Where: C = Ca(-l-)Cb; P' = Pa(+)Pb- The symbol (-I-) represents string 
concatenation. K(^, K[,, and are all script keys. 
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The idea is that one can separate Ca bits from C, and some bits from P' 
and associate them through a script key K^, while associates the balance of 
bits. is a script key that will contain the information needed to direct the 
browser to the separation of bits for the plaintext and the ciphertext. 

In other words we replace the task of finding K' with the task of finding 
smaller key scripts and K[^. This process can be repeated, and each iteration 
will reduce the bit counts of P and C which must be matched with a key. If nec- 
essary such repeated breakdown will reduce the size of plaintext and ciphertext 
bits to a single or few bits where the basic Boolean logic (AND, NOT, XOR) 
will guarantee a match (finding of a corresponding key script). 

When the various keys and the respective Kab keys are summarized, one 
might end up with a rather large K's but that would still be a legal key, that 
satisfies (1). One might note that the above is only a worst case scenario. With 
some insight and ingenuity much smaller K's may be found. And if one adds to 
this the reality that in order to establish equivocation (or deniability) , it is only 
necessary for some plausible messages to fit the ciphertext (not one message in 
particular), then the room for deniability maneuvers is that much higher. 

Equivocation serves as a basis for deniability. The latter refers to the credible 
denial by an encryption user of a claim that a particular plaintext is hidden in a 
captured ciphertext. We may consider the case of formal deniability where the 
user denies that plaintext P was hidden in ciphertext C, and insists that it was 
rather plaintext P' that was encrypted into C. As long as the user can point to a 
key script K's such that C = Br(K's,P'), the claim has formal credibility. Alas, 
if K's Ks (where Ks encrypts P into C), the practical credibility of the K's 
claim is low. As shown above, a contrived key is likely to be a large one. Yet, 
a smart user might encrypt his true message with a rather large key script, so 
that a cryptanalyst will find some shorter keys, and be genuinely baffled by the 
equivocation. 



5 Usage 

The prospect of equivocation suggests a variety of very serious applications for 
the key script idea. Most of them will have to evolve as the concept takes a hold. 
In this preliminary stage we wish to outline a more casual usage, and discuss its 
merit. 

The average savvy Internet surfer is not using cryptography today, although, 
most of us have, at least occasionally some reasons to be discreet, and insure 
that a sensitive message is read only by whom we intend to read it. The reasons 
for this lack of personal use of cryptography are apparently: (1) complexity of 
usage, and (2) the black-box syndrome. 

Central to any encryption system is the need to manage the cryptographic 
keys: make them readily available when needed, and generally secure them from 
prying eyes. Often one requirement is served on account of the other. Also, most 
encryption environments are monolithic, that is, when activated they apply en- 
cryption to anything that goes through them. In reality even two intimates will 
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have most of their communication in the ‘ordinary’ category, and only a minor- 
ity thereof in the ‘sensitive’ or ‘supersensitive’ category. Therefore a monolithic 
environment is an imposition. 

The key script idea as it has already been implemented and in use today 
(albeit in beta testing mode), removes the notion of traditional key. The key 
and some logic appear as a simple WEB page with two windows: one for the 
plaintext, and one for ciphertext. Each window is associated with a click button 
that sends the data from one window to the other. So a writer who jots down a 
long email to a close friend, might appraise one paragraph to be of some sensitive 
nature. She will then cut that paragraph off the email, and paste its contents into 
the plaintext window in the key script page. Then simply click the “encrypt” 
button, and observe the encrypted version appear in the encryption window. 
Copied from there and pasted in the original letter, this paragraph will now be 
secure. 

When the full email arrives to the receiver, he quickly recognizes the en- 
crypted paragraph (a random looking sequence of lower case letters, upper case 
letters, digits and some symbols), copies it to the same WEB page but into the 
encryption window where a click on the ‘decrypt’ key will generate the original 
message. Task complete. 

In other words, the encryption ready WEB page which is the key script 
facilitates occasional encryption activity without upsetting the normal course of 
email flow, where encryption is in reality a rarity. 

To so use the key script, one needs an effective way to share the key. Using the 
mutant generator a single user can create a new key at will. The key can be saved 
on a floppy diskette, which can be mailed or hand delivered to a communication 
party. The users might invoke the WEB page (the key script) directly from the 
floppy, so that it is never copied into the hard drive. They use it to encrypt or 
decrypt and copy the results to other files or emails. Subsequently they kill that 
WEB page on the screen and remove the floppy. 

The “black-box” syndrome of most current cryptographies is disturbing to 
quite a few sophisticated users. If the encryption and decryption are carried out 
by mysterious executables one can not be sure that an additional trap door ac- 
tivity is not incorporated into the encrypted file. Using key script, the logic is 
viewable and readable by invoking the file through a text editor. There is no mys- 
tery. The data and the logic are open and can be analyzed step by step through 
tracking and debugging software, if so desired. The only black-box attributes 
are with the browser itself, or more precisely the script interpreter therein. Alas, 
there are numerous independent browsers on the market, and unless someone 
theorizes wide conspiracy, it is safe to assume that the various browsers all com- 
ply with the language definition, and nothing more. 



6 Key Distribution 

Key script equivocation may serve as a basis for a key distribution scheme, which 
will further the desirability of this paradigm. Today, key distribution is based on 
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the notion of one-way function, or intractability. It has been argued above that 
intractability is a tentative assumption that taints this method intrinsically. The 
following scheme will offer an alternative: Alice wishes to change the encryption 
key which she and Bob use in their secret communications. To that end, Alice 
builds a history file that chronicles the detailed chronology of her communica- 
tion with Bob. It also includes information she knows about Bob before they 
began their secret communication. We designate this history file as Hq. Now, 
Alice prepares fake history files: Hi,H2,H3, ....Hn, which are all plausible, but 
all false. Then banking on the key script equivocation, for each of the H files, 
Alice produces a key script that relates them to a given ciphertext, C: 

C = E(Ki,Hi) fori = 0,l,2, ...n ( 3 ) 

Then Alice communicates, C, and Kq, K i, K2, ....K„ to Bob. Bob knows the 
history of his communication with Alice, and thereby identifies Kq, as the proper 
key. Eve, the eavesdropper will be confused by the multiplicity of the keys since 
she can not distinguish between the n history files which she is generating. Of 
course, this key distribution mechanism is stronger in proportion to the value of 
n. Also, it can be used in conjunction with one-way function, serving as an extra 
layer thereof. 

7 Case Study 

A full implementation of key script cryptography is given at 
htt p : / / WWW . agsencryptions . com/dnlnotes .htm . 



8 Outlook 

For the past three decades computing has shown consistent preference in favor of 
the open system. The secretive does not survive. Details must be reviewable, and 
black boxes don’t stand. One may extend this trend to cryptography. Despite 
the large number of users, there are very few professional cryptographers who 
have the skills to judge an encryption setup. The rest, rely on these judgments. 
The small size of the experts circle creates a festering of suspicion and a sense of 
discomfort. Such sense can be alleviated if more of what happens between the 
plaintext and the ciphertext is up, in the open, and readable - not just by the 
few, but by the many. Psychologically and practically the key script serves this 
trend. 

The other attribute of key script: equivocation, may prove even more pow- 
erful, whether it would be quantum decoders, or some other nifty computing 
devices, it is hard to imagine that with all the innovation that the human race 
accomplished, one feat will remain beyond human reach: efficient factorization of 
large numbers. The day will come when RSA, DES and elliptic curve intractabil- 
ity will be so eroded that these mainstay cryptographies will no longer cut it. As 
we approach this day, we also invite more attention to any equivocation based 
cryptography, be it quantum cryptography, or be it key scripts. 
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Abstract. Given a cyclic group G and a generator g, the Dijfie- Heilman 
function (DH) maps two group elements (<?“, 3 *’) to 3 “^. For many groups 
G this function is assumed to be hard to compute. We generalize this 
function to the P-Diffie- Heilman function (P-DH) that maps two group 
elements ( 3 “, 3 *”) to for a (non-linear) polynomial P in a and b. In 

this paper we show that computing DH is computationally equivalent to 
computing P-DH. In addition we study the corresponding decision prob- 
lem. In sharp contrast to the computational case the decision problems 
for DH and P-DH can be shown to be not generically equivalent for most 
polynomials P. Furthermore we show that there is no generic algorithm 
that computes or decides the P-DH function in polynomial time. 



1 Introduction 

Let G be a cyclic finite group and let 3 be a generator of G. The Diffie-Hellman 
function, DH : G x G — > G is given by DH(3“, 3^) = 3“^. This function is used, for 
instance, in the Diffie-Hellman cryptosystem [3] . Here two parties, say Alice and 
Bob, agree on a common pair (G, 3), a is the private key of Alice, b is the private 
key of Bob, 3“ is sent from Alice to Bob, 3^ is sent vice-versa, and finally both 
of them are able to compute 3“^. The Computational Diffie-Hellman assumption 
claims that the function DH is hard to evaluate. 

In this work we are generalizing the Diffie-Hellman function in the follow- 
ing way. Let P{a, b) be a function in a and b. We define the P-Diffie-Hellman 
function, P-DH: G x G ^ G as 

P-DH(3“,3*') 



Clearly, the Diffie-Hellman function is achieved by setting P{a,b) = ab. We will 
restrict our studies to the case where P is a non-linear polynomial in a and b. 

The function that computes 3^“ ^ from 3“ is called the Square Exponent func- 
tion. A motivation for the analysis of this variant of the Diffie-Hellman function is 
that certain cryptographic systems exist whose security relies on the hardness of 
this function. An example is a scheme for key escrow with limited time span [1]. 
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Maurer and Wolf [5] prove the equivalence of computing the Diffie-Hellman func- 
tion and computing the Square Exponent function. Further theoretical research 
about the Square Exponent function was done [2,8]. 

Clearly computing the P-DH function cannot be harder than computing the 
DH function for a polynomial P(a,b). In Section 3 we also show the converse 
direction, i.e. that computing the Diffie-Hellman function is computational equiv- 
alent to computing the P-DH function for non-linear polynomials P(a, b). As we 
will see, the strength of our result will depend on the smallest prime factor of 
the group order. In Section 4 we study the corresponding decision problem: For 
random group elements g°',g^ and (in random order) g‘^ and decide be- 
tween g‘^ and In sharp contrast to the results in Section 3 we show that 

the decision problem for the Diffie-Hellman function and the P-Diffie-Hellman 
function are provably not generieally equivalent for most polynomials P{a,b). 
On the other hand we show that no efficient generic algorithm can decide the 
P-Diffie-Hellman function. Finally, in Section 5 we mention some open problems. 

2 Definitions 

We say that an algorithm is efficient if it runs in probabilistic polynomial time. 
We call a function a negligible in n if a(n) < 1/P(n) holds for every polynomial 
P and for sufficiently large n. 

P-Diffie-Hellman function. Let G be a finite cyclic group whose order |G| is 
an n-bit integer. Let Z|g| denote the ring of integer residue classes modulo |G|. 
Let k = k{n) and I = l{n) be two functions mapping integers to integers. Let 
Pf = Pf(n) be the family of sets of all non-linear polynomials P{a,b) over Z|g| 
of the form P(a, b) = jg{o /} CijofV with coefficients G Z\q\ and absolute 
values \cij\ bounded by k. We restrict the polynomials P{a,b) to non-linear 
polynomials, i.e. at least for one (t,j) with i -\- j > 2, yf 0 must hold. To 

I IGI /2 I 

simplify our notation we introduce P; := P[ ' ^ (no restrictions to coefficients) 
and P := P|g|-i- 

For a cyclic, finite group G, a fixed generator g oi G and a polynomial P G P 
we define the P -Diffie-Hellman function, P-DH: G x G ^ G as 

P-DH(g“,5*') 

where P is called the defining polynomial of the P-Diffie-Hellman function. 



Examples of the P-DH function are: 



Name 


Defining polynomial 


P-Diffie-Hellman function 


Diffie-Hellman function [3] 
Square Exponent function [5] 
To-the-s Diffie-Hellman function 


P(a, b) = ab 
P{a, b) = 

P{a, b) = a‘ 

P{a, b) = a^b -|- ab^ 


SE(g“) = 5 Gb 
Dff( 5 “) = ffGb 
P-DH( 5 “,/)= 5 “''>+“^" 
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Considered Group Families. Let Q := (G„,(7„)„gN be a family of finite cyclic 
groups and generators. We define G as the set of all families Q, where the 
bitlength of the (efficiently computable) group order |G„| is of the order n. We 
define G(nsprime) := {Q : Vpolynomials R dnpVn > no : minpf(|G„|) > R{n)} 
as the set of all families Q such that the minimal prime factor of the group order 
|G„| is larger than any polynomial (nsprime stands for “no small prime factor”). 

Computational Assumptions. Let (G,g) = (G„,(7„)„gN = G he a, family of 
groups and generators and let e(n) be a function in n taking values in the interval 
[0,1]. For P G P the e{n)-P Computational Diffie-Hellman assumption for Q 
(e(n)-P-GDH(^)) is: There is no efficient algorithm that, given random group 
elements and outputs probability at least e(n) (taken over the 

uniformly distributed input and coin tosses of the algorithm). 

We define e(n)-GDH(^) as the assumption e(n)-P-GDH(^) for P(a, 6) := ab 
and e(n)-GSE(5) as the assumption e(n)-(5-GDH(5) for Q{a,b) := of. 

The assumption that for all polynomials R there is no efficient algorithm 
that, given g°- and g^, outputs g^CP ^ith (asymptotical) probability at least 
1/P(n) is denoted as poiy („) -P-GDH(g) . Vice-versa, the assumption, that there 
is no efficient algorithm that, given (/“ and g^, outputs g^CP -v^ith probability 
1 — a{n), where a{n) is a negligible function in n, is denoted as P-GDH(^). 

We say that assumption e(n)-P-GDH holds, if e(n)-P-GDH(^) holds for every 
family G G. We say that e(n)-P-GDHnsprime holds, if e(n)-P-GDH(^) holds 
for every family G G G (nsprime). 

Relations. To express relations among assumptions we will use the following 
notation: A=> B means that if assumption A holds, so does assumption B. Vice- 
versa, it also means that if there is a efficient algorithm A b breaking assumption 
B then we can build another efficient algorithm with (oracle) access to Ab 
which breaks assumption A. 

Generic Algorithms (Notation of Shoup [7]). An encoding function on the ad- 
ditive group (Zm,+) is an unknown injective map a : ^ {0, 1}" for some 

integer n. For a generic algorithm nothing is known about the structure (rep- 
resentation) of the underlying algebraic group. More precisely a generic algo- 
rithm A for Zm is a probabilistic algorithm that takes as input an encoding 
list (a{xi), . . . ,a{xk)) where a is an encoding function. Operations can only 
be performed via addition and subtraction oracles which given two indices i,j, 
return the encoding of a{xi + xj) and a{xi — Xj) respectively. The new encod- 
ing is then added to the encoding list. The output of the algorithm is denoted 
by A{a]Xi, . . . ,Xk). An example of a generic algorithm is the Pohlig-Hellman 
algorithm that computes the discrete logarithm. 

Relations between assumptions that make only use of generic reduction al- 
gorithms are marked by the appearance of a. For instance, A ^ B means that 
no efficient reduction is possible when computation is restricted to generic al- 
gorithms. And true B means that there is no efficient generic algorithm can 
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break assumption B. Note that such “impossibility statements” for generic al- 
gorithms are very weak, because problems might get substantially easier when 
adding an encoding to the group G. 



3 The Computational Case 

3.1 Previous Work 

Theorem 1. 1. true =§> poiy(n) -CDHnsprime (Shoup [7]). 

2. true^ poly(«) -CSEnsprime (Wolf [9]). 

3. poiy(„) -CDH CDH (Shoup’s Diffie-Hellman self-corrector [7]). 

^ 51 ^-CSE (Maurer and Wolf [5]) . 

3.2 This Work 

The following two main theorems of this section state the equivalence of the two 
assumptions P-CDH and Q-CDH for two defining polynomials P and Q. Note 
that the size of the smallest prime factor of the group order turns the balance 
of the strength of the two theorems. 

Theorem 2. For every constant I and for every P, Q G P; we have: 

poly(ra) ■-P'CDHnspriine poly(„) “Q-CDHnsprime • 

Theorem 3. For I G 0{y/log n) and for every P,Q € yje have: 

P-CDH 44> g-CDH. 

No generic algorithm can efficiently break the assumption poiy(„) ~J^~CDHnsprime- 

Theorem 4. For every P G Ppoiy(n) we have: true =§> poiy(„) -P-CDHnsprime- 

The proof of Theorem 4 uses techniques due to Shoup [7] and can be found in 
the full version of this paper [4]. 

Theorem 5 (P-DH self-corrector). For every constant I and every P G Pi 
we have: — rVw-i^-CDH 44> P-CDH. 

poly(n) 



3.3 Proofs 

Computing Roots in G will be an important building stone for the proofs of our 
theorems. We will shortly summarize some known theoretical results from [9]. 
For a finite cyclic group G of known order |G| let d G Z|g| and x,a G G. Then 
the equation 



X = a 
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has exactly s := gcd(|G|, d) different solutions xi, . . . ,Xg (there must be at least 
one, x). They are called d-th roots of a and can be computed by a probabilistic 
algorithm in expected O(sn^) bit operations. In fact, for this algorithm to work 
one has to know which prime factors are shared by d and |G|. But in our appli- 
cation d is always small enough to compute this relation. Therefore a complete 
factorization of |G| is not needed, only |G| must be known. The proof of the 
following simple lemma can be found in the full version [4]: 

Lemma 1. For (G,g) = (G„, G G(nsprime) let d G Z|< 3 | and x,a G G be 

random elements. Then the equation x'^ = a has with overwhelming probability 
a unique solution x. 

The following central lemma says that once we are given an algorithm that 
computes DH with non-negligible probability of success, then we can compute P- 
DH with overwhelming probability of success for any polynomial P{a,b). Recall 
that, for instance, P-CDH is the assumption that there is no efficient algorithm 
that computes the P-Diffie-Hellman function. 

Lemma 2. For every P G Ppoiy(n) we have: P-CDH poiy(n) ~CDH. 

Proof. Fix the family (G,g) = (G„,5„)„eN € G. Assume poiy(n) -CDH is wrong, 
i.e. there is an oracle that computes DH with non-negligible probobility of suc- 
cess. Use the Diffie-Hellman self-corrector of Theorem 1 (3) to get an algorithm 
that computes DH with overwhelming probability of success. With this reliable 
algorithm for DH at hand, given g°' and g^, any monomial can be com- 

puted by repeated multiplication or squaring in the exponent. Hence, P-DH can 
be constructed “monomial-by-monomial” (there are at most polynomial many) 
by addition in the exponent. This brakes assumption P-GDH. □ 

With this observation at hand the proof of Theorem 5 (P-DH self-corrector) is 
easy. Glearly “=J>” holds. To prove “4=” we “detour” over DH. This will be a 
very frequently used strategy in our proofs. Let P € P; and let an oracle Op-un 
be given that computes P-DH with non-negligible probability of success. Due 
to Theorem 2 we can construct an algorithm computes DH with 

non-negligible probability of success. Now apply Lemma 2. 

Proof Outline of Theorem 2 and Theorem 3: Due to Lemma 2 in both cases it 
is sufficient to show that given an algorithm that computes P-DH for a P G P; 
then there is an algorithm that computes DH. Lemma 3 deals with the special 
case P G P 2 . It can be viewed as the induction base. In Lemma 4 computing 
P-DH for a P G P; is reduced through an efficient algorithm to computing Q-DH 
for a Q G P;-i. This lemma can be viewed as the induction step which is then 
applied recursively I — 2 times. As we will see we have to take care of a blow-up 
of the coefficients of the polynomial Q in the induction step. 

Lemma 3. 1. For P G we have: P-GDH GDH. 

2. For P G P 2 we have: poly(n) “-^“^^^nsprime ^ poly(n) “^^^nsprime- 




344 



E. Kiltz 



Proof. We first prove part 1 of the lemma. Let P € . Because of Lemma 2 

it is sufficient to show P-CDH ^ poiy(„) -CDH. Let (G,g) = (G„,g„)„6N G G. 
Let Op-DH be an oracle that computes P-DH, i.e. given g°',g^, Op-oH outputs 



gP{a,b) _ gC2oa -\-C2ia^b-\-C22a^o -\-cioa-\-ciiab-\-ci2ab^-\-coo-\-coib-\-co2b^ 



We want to design an algorithm that computes DH with non-negligible 

probability of success. The main idea of the proof is to “eliminate” any appear- 
ance of 0*6^ and afV in the exponent for every 0 < f, j < 2 by the multiplicative 
combination of calls to Op-dh- For this, queries the oracle for Y+ = 

Op-Mg^+^g) = P-DH(5“+^5) and = Op-Mg^~\g) = P-DH(g“-^5). 
Division of the two outputs yields C = Y+ ■ = ^4c2 a6+2ci.h 

Ci := known. First assume C2 yf 0. Now ^4c2-a6 _ fj . ^^6^-2ci 

be computed. Assume 4c2 is positive, otherwise invert. Now compute all 4c2-th 
roots of g4a6-c2 (tPej-g are s := gcd(4c2, |G|)), i.e. all solutions of the equation 

2.4C2 ^^4afc.C2^ (1) 



with X = g°‘^. This can be done in time 0 {svf) = poly(n), because for all 
coefficients, = poly(n) holds. Now output one of the roots of equation (1) 
at random, one of them is the correct one, 5“^. Hence, for the case C2 yf 0 the 
success probability of the is e(n) > 1/s > l/(4c2) = l/poly(n). 

In the case C2 = 0 we query the oracle for P-DH(^“^*', or P-DH(g“^^, (/^). 
As shown in the full paper [4] at least one of those queries leads to a successful 
computation of g°“^ . This completes the proof of part 1. 

Now let {G,g) = (G„,(/„)„gN € G(nsprime) and let P G P2. We show 
part 2 of the lemma. Let Op-on be an oracle that outputs P-DH with success 
probability at least e(n) = l/poly(n). First the algorithm queries the oracle for 
Yp = Op-oii{g^'^^'^^ , g^) and F_ = S'") for random and known 

values s,t,u,v. Note that the queries are random and independent. Therefore 
the probability that both calls give the correct answer is at least e^(n). Assume 
this is the case, thus Yp = P-DH(g“+^+'*, g“) and Y_ = P-DH(g“~^+*, (/”). Now 
the key observation is that because the minimal prime factor of G is not too 
small, every coefficient in the exponent has an unique inverse with overwhelming 
probability (Lemma 1). In this case the inverse is efficiently computable. From 

Y_^ — gC2(a+b+s)^+ci{a+b+s)+co _ ^C2 (a+&)^+2c2 (a+h)s+C2S^+ci (a+b+s)+co 

for Ci = X)y=o a simple computation gives us gG+b) ^ por the same reason 
we get gG-b)^ from Y_. Again by division g'^°‘^ can be computed and hence 
gab^ We have constructed an algorithm that computes with success 

probability of at least e^(n) = l/poly(n). □ 



The next lemma is the “induction step” to proof Theorems 3 and 2. 

Lemma 4. 1 . For o P G Pf let Op-on be an oracle that breaks P-CDH. Then 

for k' := 2 kl 2 ^ there is a Q G Pf_i and an efficient algorithm that 

breaks Q-CDH making at most 3 queries to Op-on- 
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2. For a function e > 0 and for a P € let Op-dh be an oracle that breaks 
e(n)-P-CDHnsprime- Then there is a Q € P;-i and an efficient algorithm 
that breaks e^(n)-Q-CDHnspi.ime making at most 3 queries to Op-y)h- 

Proof. We start proving the first part of this lemma. Let P GPf and let (G, g) = 
(G„,g„)„gN G G. The main idea of this proof again is to eliminate any appear- 
ance of or g°‘'^' for any i, j by computing P-DH((/“+^,g)-(P-DH(g““^, g))~^ ■ 



Case 1: I even. Making two queries to the oracle Gp-dh, algorithm gets 

g) = \-co(a+b) 

and Y_ = P-DH(g“-^ 5 ) = gC,(a-&)'+Ci_i(a-6)'-i+- +co(a-6)^ 

where c, := cq- Now assume ci 0. c\ might be 0, but in this case continue 
with the same trick as in the proof of Lemma 3(1). Because I is even division 
leads to gQ^°-T) — where 

gQ(a,b) _ gCi{{a+bf-{a-by)+ci-i({a+by~'^-{a-by~'^)+J2\zl Ci((a+6)*-(o-b)‘)) 

= g2ci{{ff)a‘-'^b+{ff)a‘-H^ + - + {[)ab''-^)+2ci.i{{\zl)a‘-H+-+P~^)+-^ 

Each coefficient of of this polynomial <5(a, b) is either 0 (if j is even) or 
2ci+j(*^-’) < 2kl(^ij.^) < 2kl2^ =: k' (if j is odd). Note that the coefficients of 

the monomials and 6* are always 0. Thus Q{a,b) G Pf_i. Algorithm 
outputs = Q-DH( 5 “,g'>). 



Case 2: I odd. With three queries to the oracle Gp-dh, algorithm gets 

gQA.b) ^ p_DH(g“+^g) . P-DH(5“-^^/)-l • P-PA{g\g)-^ 

where <5(a, b) = 2cila^~^b — 2ci-\U~'^ -!-•••. A similar computation as in the 
even case shows that Q{a, b) G Pf_i with k' defined as above. Algorithm 
outputs gQG.fc) = Q-DH(g‘^,g^). This completes the proof of the first part. 

The proof of the second part of the lemma can be found in [4]. □ 

Now we are ready to give the proof of Theorem 3. 

Proof (of Theorem 3). Let {G,g) = (G„,(7„)„gN G G. For I G 0{^/log n) and 
k G poly(n) let P G P(. Due to Lemma 2 it is sufficient to show P-GDH 4= 
GDH. Let Gp-DH be an oracle that computes P-DH. Now apply {I — 2)-times 
Lemma 4(1) recursively to get a polynomial Q and an efficient algorithm A'^e-on 

that computes Q-DH. Q G where f{k, 1) = k ■ rii =2 ; *2* < fc • /!2^^ = 

poly(n) • poly(n) = poly(n). The number of queries to Gp-dh is at most 3^“^ = 
poly(n). Now use Lemma 3 (1) to construct an efficient algorithm P^ip-DH that 
computes DH(g“,g^) with overwhelming probability of success. □ 

The proof of Theorem 2 is similar and can be found in the full paper [4] . 
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4 The Decisional Case 

Let Q = {G„, g„)neN = (G,g) be a family of groups and generators and let 
e(n) be a function in n. Then the e{n)-P- Decision Dijfie- Heilman assumption 
for Q (e(n)-P-DDH(^) is: There is no efficient algorithm A that, given random 
group elements g°~, g^ and (in random order) g^GM and another random group 
element identifies g^G,b) -v^ith probability 1/2 + e(n) (taken over the input 
and coin tosses of A). Let e(n)-P-DDH„sprime) e(?^)--P-DDH„sprime) e(n)-P-DDH 
as well as the Decision Square Exponent assumption e(n)-DSE and the Decision 
Diffie-Hellman assumption e(n)-DDH be defined as in the computational case. 



4.1 Previous Work 

Theorem 6. 1. true =§> poiy(n) -DDHnsprime (Shoup [7]). 

2. p^-DSE„,pri„,e (Wolf [9]). 

poly(n) -DDH ^ poly(n) “DSEnsprime (Wolf [9]). 

I ^ j;54d-DSE (Wolf [9]). 

4.2 This Work 

We define the set of polynomials P 2 * for which the reduction from P-DDH to 
DDH is possible. Let P 2 * C P 2 be the set of polynomials P(a, b) given by 

P{a,b) = {dooa + doib){dioa + diib) + cioa + coib+ Coo, Cij,dij G Z\a\- 

Example polynomials of P 2 - include P(a, b) = of — and P(a, b) = {a + b)"^ . 

We characterize the relation between the assumptions poiy(„) ~DDH and 
poly (^) -P-DDH in the following two theorems. Remember that Pi is the set 
of polynomials P(a, b) = cuab + coia -I- ciob + cqo satisfying cn yf 0. 

Theorem 7. For every P G Ppoiy(n) \ P 2 * and Q G P 2 * we have: 

poly(n) “DDHnsprime poly(n) “P-DDUnsprime ■ 

2 . — tVw-DDH^ — fVw-Q-DDH. 

poly(n) poly(n) ^ 

Theorem 8. For every P G Ppoiy(n) \ Pi we have: 

poly(n) “DDHnsprime ^ poly(n) “P-PPHnsprime ■ 

The proof of Theorem 8 uses techniques due to Shoup [7] and can be found in 
the full paper [4]. The next theorem is a direct corollary of Theorem 7 (1). 



Theorem 9. For every P G Ppoiy(n) we have: true =§> poiy(n) -P-DDH, 
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4.3 Proofs 

The following lemma gives an alternative characterization of P 2 *. 

Lemma 5. 1. If P{a,b) € P 2 * then there are non-trivial linear combinations 

R, S and T of 1, a, b and P{a, b) over Z|cj| that satisfy the relation 

ya,b: R{1, a,b, P{a,b)) ■ S{l,a,b, P{a,b)) = T{1, a,b, P{a,b)). (2) 

2. Let (G,g) G G(nsprime) and let P G Ppoiy(n)- If relation (2) is satisfied, 
then P G P 2 * holds with overwhelming probability (over the choices of P). 

Proof. Let R{a, b) = ro + ria + r 2 b+r 3 P{a, b), S{a, b) = sq + sia + S 2 b+ S 3 P{a, b) 
and T{a, b) = to + tia + t 2 b + toP{a, b). Relation (2) can only hold for all a, b if 
T 3 = S 3 = 0. Thus, viewed as polynomials over a and b, relation (2) is satisfied 
iff (rio + T 2 &) • (sio + 82 b) = Uq + UiQ + U 2 b + toP{a, b), where Uq := to — vqSo, 
u\ := t\ — roSi — riSo and U 2 ■= ^2 — foS 2 — f 2 So- Consequently, for any P{a, b) G 
PJ, relation (2) can be satisfied (setting to = 1). Now let (G,g) G G(nsprime) 
and relation (2) be satisfied. Due to Lemma 1, to is invertible in Z|c;| with 
overwhelming probability. In this case obviously P G P 2 * holds. □ 

The next lemma proves Theorem 7 (2). 

Lemma 6. Let P G P 2 * and let Oddh be an oracle that breaks e(n)-DDH. Then 
there is an efficient algorithm yl^noH breaks e(n)-P-DDH. 

Proof. We construct as follows: Let g°“,g^ and in random order g^GI) 

and be given. Since P G P 2 * we can compute ^ gT{a,b) 

R,S,T satisfying relation (2) of Lemma 5 (1). g'^GM jg computed twice, first 
with g^GG) ^ second with g'^ in the role of g^GG) ^ denote them as g'^^ 

and Now feed Oddh with the input {g^ , g^ , g"^^ , g^^) which immediately 
identifies which one, g'^^ or has been computed from g^GG) ^ Note that we 
called Oddh only once, thus the success probability of algorithm yl^oDH jg . 

□ 

The next lemma says that for P G Ppoiy \P 2 * every generic algorithm that breaks 
e(n)-P-DDHnsprime for a non-negligible e(n) needs at least super-polynomial 
time. It proves Theorem 7 (I). The proof uses techniques due to Shoup [7]. 

Lemma 7. Let m = m{n) he a family of integers whose smallest prime factors 
p = p{n) are (asymptotically) lower bounded by a polynomial R{n). Let S C 
{0, 1}* he a set of at least m binary strings. Let P G P; \ P 2 * . Let A = A{n) be 
generic algorithms that work for groups of order m, run in time at most T = T{n) 
and make calls to a (perfect) DDA-oracle. Let a,b,c G Z„ be chosen at random, 
let a : Z^ ^ S be a random encoding function, and let t he a random hit. Set 
wq = P{a,b) and wi = c. ThenPr[A{a;l,a,b,Wt,wi-t) = t] < 1/2 + 0{lT^/p). 

Proof (Sketch). The proof follows two ideas. First, if the algorithm has a slight 
chance to decide P-DH only by making computations in the group, then this 
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happens by an “accident” that is not very likely to happen. And second, the 
algorithm has no chance to get a single bit of information from the DDH-oracle, 
i.e. the probability that it gets a non-trivial answer from it is very small (here 
Lemma 5 (2) comes to application). Hence, the oracle is useless. See the full 
version [4] for a formal treatment of the proof. □ 



5 Conclusions and Open Problems 

We presented a theoretical approach of a generalization of the Diffie-Hellman 
function. This P-Diffie-Hellman function is provably computationally equivalent 
to the Diffie-Hellman function for a certain class of groups. As the title of this 
paper suggests this set of functions should be viewed as a tool box. The same 
way the Square Exponent function was introduced as a theoretical concept first 
and later exploited in a cryptographic setting, we hope that one will find a useful 
application in some cryptographic protocols or maybe one can use it to simplify 
some proofs in the context of the Diffie-Hellman function. 

Note that the P-DH function can replace the DH function in some applica- 
tions. For instance the to-the-s Diffie-Hellman function introduced in Section 1 
can be used in protocols like the scheme for key escrow with limited time span [1] . 

Open Problems: As mentioned above it would be nice to have some more “real- 
world” applications of the P-Difhe-Hellman function. 

The results in the computational case leave a lot of room for improvement. 
It would be interesting to see if one can improve our results to show that 
poiy(„) -CDH <t4> ppiy(„) -P-CDH holds for PePpoiy(„). In [6] the Inverse Exponent 

function IE(g“) = ^ is proven to be computationally equivalent to the DH 

function. Consequently one might ask the question what kind of functions / (oth- 
ers than polynomials) lead to /-Diffie-Hellman functions /-DH(g“,^*') = glOI) 
that are computationally equivalent to the DH function. Also, a generalization 
of the defining polynomial P(a, b) to P(oi, • • • , Ofc) is possible. 
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